Skills
skills/sfc-gh-dflippo/snowflake-dbt-demo/skills-sync/Gen Agent Trust Hub

skills-sync

Fail

Audited by Gen Agent Trust Hub on Mar 13, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The install_uv function in scripts/skills_sync.py downloads and executes a remote shell script from https://astral.sh/uv/install.sh (or install.ps1 on Windows) by piping it directly to the system shell (sh or powershell). This pattern allows for the execution of unverified remote code without local inspection.\n- [COMMAND_EXECUTION]: The script uses the subprocess module to execute various shell commands, including git, uv, and platform-specific package managers. The install_git function specifically attempts to use sudo on Linux platforms to install system-level packages, which constitutes privilege escalation.\n- [EXTERNAL_DOWNLOADS]: The skill is configured in pyproject.toml and scripts/skills_sync.py to download and install its primary dependency, skills-ref, directly from a third-party GitHub repository (github.com/agentskills/agentskills.git) during initialization, bypassing standard package registry security checks.\n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection risk by aggregating instructions and metadata from SKILL.md files located in remote repositories (specified in repos.txt) and writing them into .cursor/rules/skills.mdc. An attacker who controls a listed repository could inject malicious instructions that the AI agent would then adopt as part of its system rules.\n
  • Ingestion points: The script reads SKILL.md content from cloned Git repositories into scripts/skills_sync.py via the scan_skills() and extract_skills_from_repo() functions.\n
  • Boundary markers: The generated XML in .cursor/rules/skills.mdc does not utilize sanitization or explicit boundary markers to prevent the interpretation of malicious instructions within the aggregated data.\n
  • Capability inventory: The skill has the capability to execute shell commands, manage files in the project root, and install system tools.\n
  • Sanitization: There is no evidence of sanitization or filtering of the natural language content extracted from remote SKILL.md files before inclusion in the system configuration.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 13, 2026, 09:49 PM