Skills
skills/okjpg/skill-creator/criar-skill/Gen Agent Trust Hub

criar-skill

Fail

Audited by Gen Agent Trust Hub on Mar 18, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The README.md and installation guides promote a command that pipes a remote shell script directly into bash: curl -fsSL https://raw.githubusercontent.com/okjpg/skill-creator/main/install.sh | bash. This pattern allows for the execution of unverified code from an untrusted source.
  • [COMMAND_EXECUTION]: The core skill logic in SKILL.md instructs the agent to execute multiple CLI tools with system-level impact, including the 1Password CLI (op), GitHub CLI (gh), and various shell commands (mkdir, cp, rm, ls, cat).
  • [CREDENTIALS_UNSAFE]: The skill logic in SKILL.md (QA Check 9) specifically handles the detection of hardcoded secrets. It directs the agent to move these secrets into either a 1Password vault via CLI or a local environment file (~/.claude/.env). Automating the handling of credentials through an agent's filesystem and CLI tools increases the risk of credential exposure or theft.
  • [EXTERNAL_DOWNLOADS]: The install.sh script and the prompt-instalacao.md prompt facilitate the download of executable logic and configuration files from the okjpg GitHub repository without any integrity verification (such as checksums).
  • [DATA_EXFILTRATION]: The skill includes an optional 'GitHub Backup' feature that uses the gh CLI to create repositories and push skill content to the web. This capability could be exploited to exfiltrate skill data to attacker-controlled repositories.
  • [DATA_EXPOSURE]: In its 'Captura de Sessão' (Session Capture) mode, the skill requires the agent to read the entire conversation history of the session to extract workflow steps, which potentially exposes sensitive information previously discussed to the skill's processing logic.
  • [INDIRECT_PROMPT_INJECTION]: The skill presents a large attack surface as it ingests untrusted data from session histories and user-pasted text, which is then used to generate new executable instruction files (skills).
  • Ingestion points: Current session history and user-provided workflow descriptions (SKILL.md).
  • Boundary markers: None identified; the agent is not instructed to ignore embedded commands in the provided workflows.
  • Capability inventory: Filesystem write access to the user's home directory and execution of external CLIs (op, gh, claude).
  • Sanitization: None identified; the skill structures the raw input directly into a new SKILL.md template.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/okjpg/skill-creator/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 18, 2026, 07:11 PM
Security Audit — agent-trust-hub — criar-skill