skill-finder
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's installation workflow, defined in 'references/installation-workflow.md', contains logic to execute code from untrusted sources.
- The 'download_complex_skill' function and the 'Post-Installation' sections explicitly automate the execution of 'bash setup.sh' if present in a downloaded repository.
- It also automates the installation of dependencies using 'npm install' and 'pip install -r requirements.txt' from repositories discovered through user-driven searches, which may contain malicious code.
- [COMMAND_EXECUTION]: The skill uses various shell commands and pipelines to perform its core functions.
- The workflow in 'SKILL.md' and the scripts in 'references/installation-workflow.md' use 'gh api', 'jq', 'base64', and shell redirection to fetch remote content and write it to the local filesystem.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it fetches and interprets the contents of 'SKILL.md' files from arbitrary third-party repositories.
- Specifically, Phase 4 of the core workflow instructs the agent to 'actually READ the SKILL.md content' for scoring. A malicious repository could include instructions in its 'SKILL.md' designed to manipulate the agent's evaluation logic or perform unauthorized actions.
- The evidence chain shows ingestion from 'gh api', no boundary markers for external content, and high-risk capabilities like shell execution and file writing.
- [EXTERNAL_DOWNLOADS]: The skill fetches data and metadata from 'api.github.com' and 'github.com'. While these are well-known and trusted platforms, the skill is designed to download and process content from any user-provided repository found during search, which constitutes an untrusted source.
Recommendations
- AI detected serious security threats
Audit Metadata