find-skills
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill facilitates the installation of third-party content from GitHub repositories and a central registry using
npx skills add. Per the [TRUST-SCOPE-RULE], this finding is downgraded to LOW because the primary source repository (vercel-labs/skills) is a recognized trusted source. - [COMMAND_EXECUTION] (INFO): The skill provides instructions for running
npxcommands. This is standard behavior for a CLI-based tool manager and does not involve immediate arbitrary execution beyond the tool's intended scope. - [INDIRECT_PROMPT_INJECTION] (LOW): The discovery feature (searching community skills) creates an ingestion surface for untrusted metadata (skill names and descriptions). While a malicious author could use deceptive descriptions, the skill provides a specific 'Evaluating Skills' guide to assist users in vetting community content before installation.
Audit Metadata