skill-installer
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
curlto fetch repository data and file contents. It also utilizesmkdir -pandrm -rfto manage installation directories within the agent's configuration path (~/.claude/skills/). This introduces potential risks, such as path traversal, if the skill name provided in untrusted metadata is not strictly sanitized.\n- [EXTERNAL_DOWNLOADS]: It fetchesSKILL.mdcontent from various external sources, including GitHub and third-party URLs. While GitHub is a recognized service, the skill's ability to pull from arbitrary third-party domains increases the risk of downloading malicious instructions.\n- [REMOTE_CODE_EXECUTION]: The skill's core purpose is to download and persist new instruction files that the agent will automatically load and execute in future sessions, effectively providing a mechanism for remote code persistence.\n- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by ingesting and processing untrusted external content.\n - Ingestion points: Skill content is ingested from GitHub, remote URLs, or direct user input (Phase 1).\n
- Boundary markers: No technical isolation or delimiters are used to wrap the untrusted content during the security audit phase.\n
- Capability inventory: The skill possesses the ability to fetch data from the network, write files to the filesystem, and delete directories.\n
- Sanitization: The skill relies on a prompt-based 'Security Audit' (Phase 2) to identify red lines. This guardrail could be bypassed by sophisticated instructions or obfuscation techniques within the downloaded content to trick the installer into performing unauthorized actions.
Audit Metadata