The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): The skill's primary purpose is to install new executable components into the agent's environment ($CODEX_HOME/skills). It allows installation from any user-provided GitHub repository via scripts/install-skill-from-github.py. This functionality can be abused to download and execute malicious scripts if an attacker-controlled repository is targeted.
EXTERNAL_DOWNLOADS (HIGH): The skill facilitates downloading files from external sources (GitHub) and writing them directly to the local filesystem. This pattern is inherently risky as it bypasses static security boundaries by introducing new, unvetted code at runtime.
COMMAND_EXECUTION (MEDIUM): The documentation in SKILL.md indicates that the installation process involves shell-level operations, including Git sparse checkouts and directory management. These operations interact directly with the host system's shell environment and filesystem.
CREDENTIALS_UNSAFE (LOW): scripts/github_utils.py is designed to read and use GITHUB_TOKEN or GH_TOKEN from the environment. While the token is sent to the legitimate GitHub API (api.github.com), this creates a surface for potential credential exposure if the environment is compromised or if the destination URL is ever manipulated.
INDIRECT_PROMPT_INJECTION (LOW): The scripts/list-curated-skills.py script ingests data from the GitHub API and prints it to the agent's context.
Ingestion points: _list_curated fetches JSON directory listings from the GitHub API.
Boundary markers: None are present in the scripts or the communication templates in SKILL.md to distinguish between trusted labels and potential malicious injection content.
Capability inventory: The skill can write files to the disk and perform network requests; installed skills are presumably executed by the agent.
Sanitization: No sanitization is performed on the 'name' field returned by the GitHub API before it is printed to the terminal or JSON output.

skill-installer