Skills
skills/sjnims/plugin-dev/marketplace-structure/Gen Agent Trust Hub

marketplace-structure

Fail

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis

================================================================================

🔴 VERDICT: HIGH

This skill describes the structure and management of plugin marketplaces. The primary security concern stems from the inherent design of a plugin system that allows for arbitrary command execution and external code fetching. While the skill itself is documentation and provides good security recommendations, the capabilities it describes pose a HIGH risk if not managed carefully by the user.

Total Findings: 4

🔴 HIGH Findings: • Arbitrary Command Execution via Plugin Hooks/Servers

  • references/schema-reference.md: The hooks and mcpServers fields within a plugin entry can specify a command to be executed. For example, "command": "${CLAUDE_PLUGIN_ROOT}/scripts/validate.sh" or "command": "${CLAUDE_PLUGIN_ROOT}/servers/db-server". While the examples use relative paths within the plugin, a malicious plugin could define an arbitrary command, leading to code execution on the user's system if an untrusted plugin is installed and its hooks or servers are triggered.

🟡 MEDIUM Findings: • Unverified External Plugin Downloads

  • SKILL.md, examples/, references/: The marketplace system allows plugins to be sourced from arbitrary GitHub repositories (owner/repo) or Git URLs (https://gitlab.com/team/plugin.git). While the skill is documentation and does not perform these downloads itself, it instructs the user on how to configure a system that will. Installing plugins from untrusted external sources without thorough vetting poses a significant risk of introducing malicious code. The skill does provide recommendations for plugin verification, which is crucial.

🔵 LOW Findings: • Credentials Management Awareness

  • SKILL.md, references/distribution-patterns.md: The skill describes the use of environment variables like GITHUB_TOKEN, GITLAB_TOKEN, and BITBUCK_TOKEN for authenticating with private repositories. While this is a standard and necessary mechanism for accessing private resources, it highlights a point of security awareness for users. Mishandling these tokens (e.g., hardcoding, exposing them) could lead to unauthorized access. The skill explicitly recommends "No credentials in marketplace.json", which is a good practice.

ℹ️ INFO Findings: • Indirect Prompt Injection Risk in Metadata

  • SKILL.md, references/schema-reference.md: Various string fields within marketplace.json and plugin.json (e.g., name, description, keywords, author fields) can contain arbitrary text. A malicious marketplace or plugin author could embed prompt injection attempts within these metadata fields, potentially influencing the AI's behavior when it processes this information. This is a risk of the data processed by the system, not the skill's instructions directly.

================================================================================

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 12, 2026, 02:32 PM