skill-search
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (HIGH): The skill utilizes
npxto fetch and execute packages from untrusted marketplaces. It explicitly instructs the agent to use flags like--alland--ampto suppress user confirmation, allowing for silent installation of potentially malicious code. - External Downloads (MEDIUM): The skill performs network operations via
curltoskills.sh, a non-whitelisted domain, to retrieve search results that directly influence subsequent execution logic. - Persistence Mechanisms (HIGH): Upon installation, the skill automatically symlinks downloaded content into sensitive agent configuration directories (e.g.,
~/.claude/skills/). This ensures that any malicious logic persists across sessions and affects multiple agent types. - Indirect Prompt Injection (LOW): The skill is vulnerable to Indirect Prompt Injection. Evidence: 1. Ingestion points: Search results from
skills.shAPI andctx7CLI. 2. Boundary markers: Absent; search results are processed directly. 3. Capability inventory: Subprocess execution (npx), file-write/symlinking (ln), and network access (curl). 4. Sanitization: Absent; the agent is encouraged to be generous and install results without verification. - Command Execution (MEDIUM): The skill constructs and executes shell commands involving
npxandlnbased on unverified external data, increasing the risk of command injection if the marketplace results are compromised.
Recommendations
- AI detected serious security threats
Audit Metadata