skill-installer
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill is designed to fetch and install executable content from GitHub. By supporting arbitrary repositories via the --repo and --url flags, it enables a direct path for remote code execution of unverified scripts into the local environment.
- [EXTERNAL_DOWNLOADS] (LOW): The skill performs network operations to fetch data and code from GitHub. While the openai organization is trusted, the open-ended nature of the tool allows connections to any repository.
- [COMMAND_EXECUTION] (MEDIUM): The skill requires sandbox escalation to perform the network and file system operations necessary for installation.
- [CREDENTIALS_UNSAFE] (MEDIUM): The documentation notes the use of GITHUB_TOKEN or GH_TOKEN for accessing private repositories. This introduces a risk of credential exposure if the tokens are not handled securely by the underlying Python scripts.
- [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection from malicious repository metadata or skill lists. 1. Ingestion points: GitHub API and repository files via list-skills.py. 2. Boundary markers: None identified in instructions. 3. Capability inventory: File-writing to the skills directory and subsequent execution of installed scripts. 4. Sanitization: No sanitization of downloaded content is described.
Recommendations
- AI detected serious security threats
Audit Metadata