skill-manager
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses Bash scripts (install.sh, update.sh, remove.sh) to manage the local environment, creating symbolic links for local skills and executing Git commands (git clone, git fetch, git pull) to manage remote repositories. These operations are consistent with its primary purpose as a package manager for AI agent skills.\n- [EXTERNAL_DOWNLOADS]: The record.py and install.sh scripts perform network requests to github.com and raw.githubusercontent.com to fetch skill source code, version metadata, and changelogs. These requests target well-known and expected domains for software distribution.\n- [REMOTE_CODE_EXECUTION]: Although the skill installs external code, it does not automatically execute remote scripts upon download. It includes an internal security analysis tool (security.py) that performs static analysis on downloaded code to identify potential risks like command injection or credential harvesting, serving as a defensive layer.
Audit Metadata