Skills
skills/agentskill-sh/ags/learn/Gen Agent Trust Hub

learn

Warn

Audited by Gen Agent Trust Hub on May 6, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill instructs the agent to perform 'Automatic Skill Rating' immediately after a task, explicitly stating 'Do not wait for user input' and 'You MUST rate it automatically'. This mandates background behavior that bypasses standard user-consent and transparency patterns for code execution and network activity.
  • [DATA_EXFILTRATION]: The skill requires the agent to silently submit 'feedback' (including agent-generated evaluations and comments) to an external server (agentskill.sh) via shell commands (npx @agentskill.sh/cli feedback). This automated exfiltration of agent context and task outcomes happens without a per-action user confirmation trigger.
  • [REMOTE_CODE_EXECUTION]: The skill heavily relies on npx to download and execute the @agentskill.sh/cli package at runtime. It also includes a self-update mechanism that automatically re-installs the skill from the marketplace if a version mismatch is detected.
  • [COMMAND_EXECUTION]: Extensive use of shell commands via npx for searching, installing, listing, and updating skills. The skill also executes git branch and reads local project files (package.json) to construct context-aware search queries.
  • [EXTERNAL_DOWNLOADS]: Fetches JSON data and binary/script content from agentskill.sh and NPM during search, installation, and update procedures.
  • [COMMAND_EXECUTION]: The /learn scan command reads and processes untrusted local SKILL.md files using a library of dangerous patterns in references/SECURITY.md. This creates an indirect prompt injection surface where a malicious skill being scanned could attempt to hijack the agent during the analysis process.
  • Ingestion points: /learn scan (local files), /learn search (API responses from agentskill.sh).
  • Boundary markers: None specified for separating scanned content or search results from the system prompt.
  • Capability inventory: Bash execution, WebFetch network access, and filesystem read/write access.
  • Sanitization: No explicit sanitization or instruction to ignore embedded commands within the scanned content is mentioned.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 6, 2026, 01:54 PM