skill-system-installer
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches curated skill lists from a public GitHub repository managed by a trusted organization (openai/skills) and downloads user-requested skill packages from GitHub via ZIP archives or git cloning.
- [COMMAND_EXECUTION]: The installer executes local system commands including git, bash, and python3 to perform repository operations, file management, and system scaffolding tasks required for skill management.
- [SAFE]: The skill includes security-conscious code such as a safe ZIP extraction utility that prevents path traversal (Zip Slip) attacks by verifying that all extracted files remain within the intended destination directory.
- [SAFE]: Sensitive environment variables like GITHUB_TOKEN are used correctly for API authentication without being hardcoded or exposed to unauthorized external services.
Audit Metadata