upskill
Fail
Audited by Gen Agent Trust Hub on Jul 3, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill executes a remote script piped directly to bash from the HKUDS/Upskill repository.
- Evidence:
curl -sSL https://raw.githubusercontent.com/HKUDS/Upskill/main/cc-integration/install.sh | bash -s -- --remoteis used in bothSKILL.mdandscripts/install.sh. - [COMMAND_EXECUTION]: The skill frequently invokes shell commands to manage its environment, including installing external dependencies and modifying system-wide configuration.
- Evidence:
scripts/install.shusesnpxto globally install skills and executes local shell scripts likeinstall.shandupskill-build.shto perform core logic. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted session data to influence future agent instructions.
- Ingestion points: The
upskill-buildcommand readssession.logandmetadata.txtfrom previous sessions (found inreferences/commands.md). - Boundary markers: None mentioned for the teacher model's analysis of failure trajectories.
- Capability inventory: The skill has access to
Bash,Read,Write,Edit, andWebFetchtools. - Sanitization: No evidence of sanitization or filtering of the session logs before they are processed by the "Teacher" model to generate new
SKILL.mdinstructions.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/HKUDS/Upskill/main/cc-integration/install.sh, https://raw.githubusercontent.com/HKUDS/Upskill/${UPSKILL_REF}/cc-integration/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata