The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill's primary purpose is to install executable content (skills) from remote GitHub repositories into the local $CODEX_HOME/skills directory. The installer downloads scripts and configuration files that are intended for subsequent execution by the system. While the skill employs a security check to prevent path traversal (ZipSlip) during installation, the capability to install arbitrary code from user-specified repositories remains a significant security consideration.
[EXTERNAL_DOWNLOADS]: The skill performs several network operations to fetch metadata and source code. It queries the GitHub API (api.github.com) to retrieve directory listings and skill information. It downloads ZIP archives containing skill source code from codeload.github.com. By default, it targets the openai/skills repository, which is a trusted source, but it allows users to specify any GitHub repository.
[COMMAND_EXECUTION]: The installation process involves the execution of system binaries. The git command is used via subprocess.run to perform sparse checkouts of repositories when direct download is unavailable or fails. The implementation passes arguments as a list to the subprocess, which mitigates shell injection vulnerabilities.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through data processed from external sources. Ingestion points: The list-skills.py script (line 61) fetches repository content names via the GitHub API. Boundary markers: There are no markers or instructions used to separate fetched filenames from the agent's internal logic. Capability inventory: The skill has the ability to write files to the local disk and execute the git command via install-skill-from-github.py. Sanitization: Filenames retrieved from the API are not sanitized or validated before being displayed, allowing an attacker who controls a repository to inject malicious instructions into the list presented to the user.

skill-installer