skill-installer
Warn
Audited by Snyk on May 7, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill's installer and listing scripts explicitly fetch and ingest arbitrary GitHub content (e.g., scripts/list-curated-skills.py calls the GitHub API at api.github.com/repos/.../contents/... and scripts/install-skill-from-github.py downloads from codeload.github.com or performs git sparse-checkout), which pulls untrusted user-generated repo files into $CODEX_HOME/skills where they can be loaded as new agent skills and thus materially change agent behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The installer scripts perform runtime downloads from GitHub (e.g. https://codeload.github.com/{owner}/{repo}/zip/{ref} and https://api.github.com/repos/{repo}/contents/{path}?ref={ref}), which fetch remote SKILL.md and repo files that directly control agent prompts/instructions and are required for installation.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata