install-skill
Fail
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The
SKILL.mdfile contains a shell command template where user-provided input ($ARGUMENTS) is directly interpolated:node <path> $ARGUMENTS. This creates a direct command injection vulnerability. An attacker can provide shell metacharacters (such as;,&,|, or backticks) within the argument to execute arbitrary commands on the underlying host machine. - [REMOTE_CODE_EXECUTION]: The primary purpose of this skill is to download and install executable logic from remote GitHub repositories. This enables an attacker to provide a URL to a malicious repository, tricking the agent into installing and subsequently executing unauthorized code.
- [EXTERNAL_DOWNLOADS]: The
install-skill.jsscript downloads content fromapi.github.comandraw.githubusercontent.com. Although these are established services, the tool allows for the retrieval of content from any user-specified repository, bypassing security checks and introducing supply chain risks. - [DATA_EXFILTRATION]: The script permits users to specify a
--targetpath or a--namefor the skill folder. These inputs are used inpath.joinoperations without sanitization for path traversal sequences (like../). An attacker could manipulate these flags to overwrite sensitive configuration files (e.g.,~/.bashrc,~/.ssh/authorized_keys) or system files, leading to system compromise or persistence. - [CREDENTIALS_UNSAFE]: The installer script explicitly accesses
GITHUB_TOKENandGH_TOKENfrom the environment. While standard for API authentication, the combination of credential access with arbitrary file write capabilities increases the risk of credential misuse if the script is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata