skill-installer

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill metadata describes an installer whose capabilities are consistent with its stated purpose: listing and installing skills from GitHub into $CODEX_HOME/skills. Downloads come from GitHub (official), and use of GITHUB_TOKEN or host git credentials to access private repos is expected. The primary security concerns are operational rather than covert malicious behavior: installing arbitrary repository contents (including potential overwrites of existing or system skills) carries supply-chain risk; tokens and SSH keys grant access to private repos and must be handled securely; the doc does not mention integrity verification or safeguards against accidental overwrite. I do not see clear signs of obfuscation or explicit malicious code in this metadata, but the installer inherently enables installing arbitrary code, so it requires careful runtime controls, user confirmation, and validation when implemented. LLM verification: The skill is a legitimate installer for agent skills and its described behavior (network fetches, git fallback, writing into CODEX_HOME/skills) matches that purpose. There is no direct evidence in the provided text of obfuscation or explicit malicious code (e.g., exfiltration, reverse shells). However, the ability to install arbitrary repositories (including private ones using tokens or system credentials) into the agent's executable plugin directory without mandatory integrity checks or sandbox