skill-installer
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [SAFE]: No malicious code patterns, obfuscation, or unauthorized network operations were detected.
- [COMMAND_EXECUTION]: The skill uses
subprocess.runto execute a local internal maintenance script (scan_registry.py). This is a standard administrative operation used to synchronize the skill database with the local filesystem. - [SAFE]: The tool features an automated validation step that identifies and prevents the installation of files containing secrets or credentials, such as
.envfiles, SSH private keys (*.key,*.pem), and credential JSON files. - [SAFE]: Security mitigations are integrated into the workflow, including the use of
yaml.safe_loadfor parsing skill metadata and the strict sanitization of skill names to a restricted set of alphanumeric characters and hyphens, preventing path traversal attacks.
Audit Metadata