publish-skill

Warn

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes numerous shell commands using variables (e.g., $skill_name, $AI_SKILLS_PATH) derived from the local filesystem and environment. Several instances in Steps 2, 3, 5, 6, 7, and 8 use unquoted variables within shell commands (e.g., git hash-object ".agents/skills/$skill_name/SKILL.md"), which is a known pattern for shell injection if a directory name contains shell metacharacters.
  • [EXTERNAL_DOWNLOADS]: The skill uses npx skills add to fetch and install skills from a remote GitHub repository. This involves downloading content from external sources (GitHub/npm) at runtime.
  • [REMOTE_CODE_EXECUTION]: The use of npx combined with a dynamically determined repository specification ($AI_SKILLS_SPEC) results in the execution of code downloaded from a remote source.
  • [PROMPT_INJECTION]: The skill processes SKILL.md files as data inputs. These files are then passed to a code-reviewer agent and installed. This creates an attack surface for indirect prompt injection where malicious instructions inside a skill file could influence the reviewing agent or the local environment during installation. The skill attempts to mitigate this with a specific code review step in Step 4.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 17, 2026, 06:41 PM
Security Audit — agent-trust-hub — publish-skill