awesome-codex-skills-curator
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches content from remote GitHub repositories using git clone commands. This includes the primary collection at github.com/ComposioHQ/awesome-codex-skills and various third-party repositories referenced in the documentation and examples.
- [REMOTE_CODE_EXECUTION]: The installation process involves executing a Python script (install-skill-from-github.py) that is downloaded from the remote repository. This allows the execution of arbitrary code provided by the skill source during the setup phase.
- [COMMAND_EXECUTION]: The skill uses the subprocess module to run shell commands, including git and python, with arguments derived from user input or external metadata. It also facilitates the manual execution of file system operations like cp -r to manage skill directories.
- [PROMPT_INJECTION]: The skill implements a routine to scan and parse SKILL.md files from downloaded repositories to list metadata like names and descriptions. This creates a surface for indirect prompt injection if a third-party skill contains malicious instructions within its frontmatter or descriptive text.
- Ingestion points: Reads SKILL.md from directories in ~/.codex/skills/
- Capability inventory: subprocess execution, file system access, network operations
- Boundary markers: None present; the parser splits content based on YAML delimiters without sanitizing the extracted metadata
- Sanitization: No validation or escaping of the metadata content before it is displayed to the user or processed by the agent.
Audit Metadata