skill-installer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill's purpose is to download and install executable code ('skills') into the agent's environment. While it defaults to 'openai/skills', the instructions explicitly support user-specified repositories (e.g.,
--repo <owner>/<repo>), which could lead to the installation and subsequent execution of untrusted malicious code.\n- CREDENTIALS_UNSAFE (HIGH): The scriptscripts/github_utils.pyretrieves theGITHUB_TOKENandGH_TOKENenvironment variables. These sensitive credentials could be exfiltrated if the agent is compromised by a malicious skill downloaded through this tool.\n- EXTERNAL_DOWNLOADS (HIGH): The skill performs network operations to fetch directory listings and file contents from the GitHub API usingurllib.request.\n- COMMAND_EXECUTION (MEDIUM): The skill executes local Python helper scripts to manage the file system and network tasks required for installation.\n- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). An attacker could host a repository containing malicious instructions that the agent would ingest during the 'list' or 'install' phase. Evidence: (1) Ingestion point: GitHub API contents inscripts/list-skills.py; (2) Boundary markers: Absent; (3) Capability inventory: Network access and file installation/persistence; (4) Sanitization: None.
Recommendations
- AI detected serious security threats
Audit Metadata