skill-installer
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The core functionality is to fetch and install new executable skills from remote sources. This is a direct vector for Remote Code Execution (RCE) if an untrusted or malicious repository is provided, as the agent will subsequently load and execute code from the installed directory.
- EXTERNAL_DOWNLOADS (HIGH): The skill is configured to download content from arbitrary GitHub repositories using the
--repoand--urlflags. While it targetsopenai/skillsby default (a trusted source), it does not restrict downloads to that organization, allowing potentially malicious code ingestion from any GitHub user. - COMMAND_EXECUTION (MEDIUM): The skill relies on local Python scripts (
list-skills.py,install-skill-from-github.py) that perform filesystem operations and network requests. The instructions explicitly mention requesting privilege escalation in sandbox environments to perform these tasks. - DATA_EXFILTRATION (LOW): The skill notes the use of sensitive credentials such as
GITHUB_TOKENorGH_TOKENfor accessing private repositories. If the installation process is compromised or directed to a malicious endpoint, these tokens could be exposed. - INDIRECT_PROMPT_INJECTION (LOW):
- Ingestion points: The skill fetches repository structures and names from external sources via the GitHub API.
- Boundary markers: None identified; the agent may be susceptible to instructions embedded in repository names or metadata during the listing process.
- Capability inventory: Network access, file system writing, and execution of helper scripts.
- Sanitization: Not explicitly documented; the skill assumes the safety of the curated list but extends functionality to untrusted sources.
Audit Metadata