skill-installer

[Skill Scanner] Credential file access detected No explicit malware or obfuscated payload is present in the provided documentation. However, the installer workflow as documented allows installing arbitrary code from a network catalog into local agent harness directories without documented integrity verification or safe-extraction practices. That is a significant supply-chain risk: a malicious or compromised catalog package could place arbitrary files into user directories and later execute in the agent environment. Recommend implementing and documenting cryptographic signatures/checksums for catalog packages, validating package contents (no path traversal), prompting before overwrites, and documenting the catalog endpoints and trust model. Treat this skill as potentially vulnerable until such protections are added. LLM verification: The provided content is documentation for a skill installer and contains no explicit malicious code. However, the described functionality (downloading and installing arbitrary skill packages into harness directories) is inherently high-risk from a supply-chain perspective unless the concrete implementation includes robust safeguards: cryptographic verification of catalog packages, strict path sanitization, overwrite confirmation, and least-privilege file operations. Treat catalog installs as unt

No explicit signs of intentional malware or stealthy backdoor constructs are present in this file (no eval/exec, no obfuscated payloads within this module). However, the code exposes moderate supply-chain and filesystem risks: unsanitized file paths when writing downloaded content enable path traversal and arbitrary writes, and the tool will install arbitrary files into agent harness directories (and can remove existing directories with --force). If an attacker can control the configured catalog API or the agentskills_config, they can deliver malicious skills that get installed and executed by agent runtimes. Recommend immediate remediation: reject/normalize file paths from remote content, add integrity/signature verification, and avoid untrusted sys.path mutation. Treat the package as moderately risky until fixes are applied.