Skills
skills/connorads/dotfiles/find-skills/Gen Agent Trust Hub

find-skills

Pass

Audited by Gen Agent Trust Hub on Apr 22, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the npx skills CLI to perform searches, check for updates, and manage the installation of agent extensions.
  • [EXTERNAL_DOWNLOADS]: Fetches and installs code packages from external sources including the npm registry and arbitrary GitHub repositories via the npx skills add command.
  • [REMOTE_CODE_EXECUTION]: Provides a direct mechanism for the agent to install and execute third-party code (skills). The use of the -y flag in instructions encourages bypassing user confirmation prompts during installation.
  • [PROMPT_INJECTION]: Contains a surface for indirect prompt injection where malicious instructions could be embedded in the metadata (names or descriptions) of skills returned by the search command.
  • Ingestion points: Data returned from the npx skills find shell command (SKILL.md).
  • Boundary markers: Absent; the agent is instructed to present findings and offer installation without explicit delimiters for untrusted metadata.
  • Capability inventory: Shell command execution, package installation, and global system modifications (via the -g flag).
  • Sanitization: None; the skill relies on the agent's interpretation of external search results.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 22, 2026, 03:37 PM