install-skill

Fail

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The SKILL.md file contains a shell command template where user-provided input ($ARGUMENTS) is directly interpolated: node <path> $ARGUMENTS. This creates a direct command injection vulnerability. An attacker can provide shell metacharacters (such as ;, &, |, or backticks) within the argument to execute arbitrary commands on the underlying host machine.
  • [REMOTE_CODE_EXECUTION]: The primary purpose of this skill is to download and install executable logic from remote GitHub repositories. This enables an attacker to provide a URL to a malicious repository, tricking the agent into installing and subsequently executing unauthorized code.
  • [EXTERNAL_DOWNLOADS]: The install-skill.js script downloads content from api.github.com and raw.githubusercontent.com. Although these are established services, the tool allows for the retrieval of content from any user-specified repository, bypassing security checks and introducing supply chain risks.
  • [DATA_EXFILTRATION]: The script permits users to specify a --target path or a --name for the skill folder. These inputs are used in path.join operations without sanitization for path traversal sequences (like ../). An attacker could manipulate these flags to overwrite sensitive configuration files (e.g., ~/.bashrc, ~/.ssh/authorized_keys) or system files, leading to system compromise or persistence.
  • [CREDENTIALS_UNSAFE]: The installer script explicitly accesses GITHUB_TOKEN and GH_TOKEN from the environment. While standard for API authentication, the combination of credential access with arbitrary file write capabilities increases the risk of credential misuse if the script is compromised.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 23, 2026, 04:46 PM
Security Audit — agent-trust-hub — install-skill