skill-install
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill retrieves directory structures and raw file content from the GitHub API and GitHub's raw content CDN, which are well-known services.
- [COMMAND_EXECUTION]: The skill utilizes a file writing tool to create directories and files within the local environment at
~/.claude/skills/and instructions explicitly mandate setting executable permissions for downloaded scripts. - [REMOTE_CODE_EXECUTION]: The primary purpose of the skill is the retrieval and installation of code from external repositories for later execution within the agent environment.
- [PROMPT_INJECTION]: The skill's security scanning mechanism is vulnerable to indirect prompt injection. Malicious content within the downloaded skill files could be crafted to manipulate the security scanner's analysis, potentially forcing a false positive 'SAFE' verdict.
- Ingestion points: External file content fetched from user-provided GitHub repositories in Step 4.
- Boundary markers: The template in
references/security_scan_prompt.mdinterpolates content using a{skill_content}placeholder without the use of robust delimiters or 'ignore embedded instructions' warnings. - Capability inventory: The skill can write arbitrary files to the disk and modify file permissions through the installation workflow in Step 7.
- Sanitization: There is no evidence of sanitization or filtering of the remote content before it is passed to the security scanner or written to the filesystem.
Audit Metadata