Skills
skills/isomoes/skills/find-skills/Gen Agent Trust Hub

find-skills

Fail

Audited by Gen Agent Trust Hub on Apr 14, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill provides instructions to download and install new functionality using the npx skills add <owner/repo@skill> command. Since these skills can contain scripts and executable instructions, this mechanism facilitates the execution of code from remote, third-party repositories.
  • [COMMAND_EXECUTION]: The skill explicitly instructs the agent to use the -y flag (e.g., npx skills add <package> -g -y) to skip confirmation prompts. This practice reduces user oversight and enables the autonomous installation of external code without a human-in-the-loop review, which is a significant security bypass.
  • [EXTERNAL_DOWNLOADS]: The skill is designed to fetch and integrate content from external sources, specifically GitHub. While it mentions well-known organizations as examples, the tool can be used to install packages from any repository, exposing the environment to potential supply-chain attacks or malicious packages masquerading as legitimate skills.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 14, 2026, 01:23 PM
Security Audit — agent-trust-hub — find-skills