Skills
skills/sanity-io/sanity/find-skills/Gen Agent Trust Hub

find-skills

Warn

Audited by Gen Agent Trust Hub on Apr 12, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill uses npx skills, which triggers the download and execution of the skills package from the npm registry at runtime.
  • [EXTERNAL_DOWNLOADS]: The npx skills add command is used to download and install modular packages (skills) from external sources such as GitHub repositories.
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands (npx skills find, npx skills add, npx skills check, etc.) based on user queries.
  • [AUTOMATED_INSTALLATION]: Instructions include the use of the -y flag (npx skills add <package> -g -y) which explicitly skips confirmation prompts when installing remote code, reducing user oversight of executable content being added to the system.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from an external registry (search results from npx skills find). If an attacker publishes a malicious skill with a deceptive name or description, the agent might inadvertently recommend or install it based on the search output.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 12, 2026, 11:00 PM