Skills
skills/vijaykpatel/favorite_skills_and_plugins/find-skills/Gen Agent Trust Hub

find-skills

Fail

Audited by Gen Agent Trust Hub on Feb 21, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • EXTERNAL_DOWNLOADS (HIGH): The skill utilizes npx to dynamically fetch and execute the skills package from npm and facilitates downloading additional skills from GitHub repositories.
  • REMOTE_CODE_EXECUTION (HIGH): The skill instructs the agent to use the -y flag with npx skills add, which skips all safety confirmation prompts during remote code installation. This allows for the silent installation and potential execution of malicious scripts from unverified third-party sources.
  • COMMAND_EXECUTION (MEDIUM): User queries are directly interpolated into shell commands (e.g., npx skills find [query]), creating a command injection vulnerability if the agent does not sanitize characters like ;, &, or |.
  • PROMPT_INJECTION (LOW): The skill presents an indirect prompt injection surface. Evidence: 1. Ingestion points: User queries and external search results. 2. Boundary markers: Absent for shell interpolation. 3. Capability inventory: Bash execution and remote package installation. 4. Sanitization: None detected for user or external data.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 21, 2026, 04:23 PM