The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill's primary function is to download and install external AI skills. By permitting installation from arbitrary GitHub repositories, it introduces a software supply chain risk where a user could be deceived into installing malicious skills containing harmful instructions or scripts.\n- [EXTERNAL_DOWNLOADS]: The skill performs network requests to GitHub's API and download servers to fetch repository metadata and ZIP archives. It also performs Git clones from remote URLs.\n- [COMMAND_EXECUTION]: The scripts/install-skill-from-github.py script uses subprocess.run() to execute system Git commands for cloning and sparse checkouts. These operations involve passing user-controlled or remote-provided strings such as repository URLs and branch references to the system shell.

skill-installer