skill-finder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill implements a workflow to autonomously fetch files via curl and write them to the agent's internal directory (.agent/skills/). Because the agent is instructed to immediately read and follow these new instructions (Step 5), this facilitates arbitrary code or instruction execution from untrusted remote sources.
- [PROMPT_INJECTION] (HIGH): The skill is inherently vulnerable to Indirect Prompt Injection. It ingests untrusted content from the web and adopts it as instructions without sanitization or boundary markers. Evidence Chain: 1. Ingestion points: read_url_content/curl (SKILL.md); 2. Boundary markers: None; 3. Capability inventory: File-write to skills directory, curl, search_web; 4. Sanitization: None.
- [EXTERNAL_DOWNLOADS] (HIGH): The skill performs downloads from any GitHub repository found via search, bypassing security controls. It does not follow the [TRUST-SCOPE-RULE] as it target any repository matching a filename search rather than specific trusted organizations.
- [COMMAND_EXECUTION] (MEDIUM): The workflow explicitly utilizes the curl command and local file system write operations to modify the agent's environment, which provides a mechanism for persistence and privilege escalation if malicious content is fetched.
Recommendations
- AI detected serious security threats
Audit Metadata