add-ext-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill's primary function is to download and install new logic into the agent's environment. By using 'curl' to fetch a 'SKILL.md' file and then writing it to the 'skills/' directory, it allows for the persistence and execution of arbitrary remote instructions.\n- [EXTERNAL_DOWNLOADS] (HIGH): The skill uses the 'Bash' tool to download files from user-supplied URLs without any domain restriction or signature verification. This allows an attacker to host malicious skill files on any server.\n- [INDIRECT PROMPT INJECTION] (HIGH): The skill is designed to ingest and process untrusted external data (the downloaded SKILL.md file).\n
- Ingestion points: The 'SKILL.md' file content downloaded in Step 2.\n
- Boundary markers: None. The content is read as a raw string and used to generate new files.\n
- Capability inventory: The skill utilizes 'Bash' for shell command execution and the 'Write' tool for filesystem modifications.\n
- Sanitization: The only validation performed is checking for the presence of 'name' and 'description' fields in the YAML frontmatter. The actual instructional body of the skill is not inspected for malicious patterns before installation.\n- [COMMAND_EXECUTION] (HIGH): The skill uses 'Bash' to create directories and execute curl. If the '{name}' variable extracted from the untrusted YAML or the user-provided '{URL}' contains shell metacharacters, it could lead to direct command injection on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata