skill-scout
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill automates the installation of external code by cloning repositories and executing
npm install --productioninlib/installer.js. This process is inherently unsafe as it allows for the execution of arbitrary lifecycle scripts (e.g.,preinstallorpostinstall) defined in thepackage.jsonof any discovered or user-provided repository.\n- [COMMAND_EXECUTION]: Thelib/installer.jsmodule useschild_process.execto run several system-level commands, includinggit clone,git pull, andnpm install. These commands are executed on paths and URLs derived from untrusted external data.\n- [EXTERNAL_DOWNLOADS]: Thelib/scout.jsandlib/evaluator.jsmodules make network requests to the GitHub API (api.github.com) to search for repositories and fetch their files. While the service is well-known, the content retrieved originates from arbitrary third-party accounts.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8). It ingests metadata and file content (repository descriptions,SKILL.mdfiles) from GitHub to evaluate and score skills.\n - Ingestion points:
lib/scout.js(search results) andlib/evaluator.js(fetching repository files).\n - Boundary markers: There are no explicit delimiters or instructions to ignore embedded instructions in the ingested content.\n
- Capability inventory: The skill possesses extensive system capabilities including shell command execution (
exec), file system modification (symlink,rm), and network operations.\n - Sanitization: The skill lacks robust sanitization of external text before it is processed by the evaluator, potentially allowing a malicious repository to manipulate the scoring or installation logic.
Recommendations
- AI detected serious security threats
Audit Metadata