publish-skill
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes numerous shell commands using variables (e.g.,
$skill_name,$AI_SKILLS_PATH) derived from the local filesystem and environment. Several instances in Steps 2, 3, 5, 6, 7, and 8 use unquoted variables within shell commands (e.g.,git hash-object ".agents/skills/$skill_name/SKILL.md"), which is a known pattern for shell injection if a directory name contains shell metacharacters. - [EXTERNAL_DOWNLOADS]: The skill uses
npx skills addto fetch and install skills from a remote GitHub repository. This involves downloading content from external sources (GitHub/npm) at runtime. - [REMOTE_CODE_EXECUTION]: The use of
npxcombined with a dynamically determined repository specification ($AI_SKILLS_SPEC) results in the execution of code downloaded from a remote source. - [PROMPT_INJECTION]: The skill processes
SKILL.mdfiles as data inputs. These files are then passed to acode-revieweragent and installed. This creates an attack surface for indirect prompt injection where malicious instructions inside a skill file could influence the reviewing agent or the local environment during installation. The skill attempts to mitigate this with a specific code review step in Step 4.
Audit Metadata