skill-finder
Fail
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's installation workflow, defined in references/installation-workflow.md, explicitly automates the execution of shell scripts named setup.sh fetched from external GitHub repositories.
- [REMOTE_CODE_EXECUTION]: The skill performs automated dependency installation using npm install and pip install on files downloaded from unknown external repositories, which can execute malicious code through package install scripts or compromised dependencies.
- [EXTERNAL_DOWNLOADS]: The skill utilizes the GitHub CLI (gh) to clone entire repositories and download arbitrary files from the public internet based on user-specified search queries, placing external content into the local environment.
- [COMMAND_EXECUTION]: Extensive use of shell utilities (gh, jq, base64, grep, sed, find, wc) is employed to manage local directories and process data received from external sources.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Ingestion points: fetching SKILL.md and README.md files via the GitHub API (Phase 3 and Phase 6). Boundary markers: Absent; the skill lacks delimiters or warnings to treat external content as untrusted data. Capability inventory: Substantial, including arbitrary shell execution (bash, npm, pip) and filesystem access in .claude/skills. Sanitization: Absent; the content is decoded and provided directly to the agent's context.
Recommendations
- AI detected serious security threats
Audit Metadata