Skills
skills/starchild-ai-agent/community-skills/@554/skill-installer/Gen Agent Trust Hub

@554/skill-installer

Fail

Audited by Gen Agent Trust Hub on Mar 18, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches skill data, file lists, and code content from the remote gateway at https://skills-market-gateway.fly.dev. It also downloads and installs skills directly from arbitrary GitHub URLs provided in search results.
  • [REMOTE_CODE_EXECUTION]: The skill's primary function is to download and install new code (skills) to the local system. The installation script in SKILL.md uses a Python command (python3 -c) that fetches JSON data and writes files to the local directory.
  • Evidence: The script uses path = os.path.join(skill_dir, fname) without validating that fname is a safe, relative path. A malicious skill could provide a filename like ../../.bashrc to perform a path traversal attack and overwrite sensitive system files.
  • Evidence: The fallback mechanism uses npx skills add <githubUrl>, which executes a package manager command to download and install code from a user-provided or search-provided GitHub URL.
  • [COMMAND_EXECUTION]: The skill frequently uses bash to execute curl, python3, and npx commands for searching, downloading, and publishing skills.
  • Evidence: The search command curl ... | python3 -m json.tool is used for formatting, but the installation and publication steps use more complex Python execution (python3 -c) for logic.
  • [DATA_EXFILTRATION]: The skill accesses a local Unix socket to retrieve authentication credentials and transmits local file contents to a remote server.
  • Evidence: It retrieves an OIDC token by querying http://localhost/v1/tokens/oidc via the /.fly/api Unix socket.
  • Evidence: During the publish workflow, it walks the local directory, reads all files, and sends their contents in a JSON payload via a POST request to https://skills-market-gateway.fly.dev/skills/publish.
  • [PROMPT_INJECTION]: The skill processes untrusted input from an external marketplace that can influence the agent's future behavior.
  • Ingestion points: https://skills-market-gateway.fly.dev/skills/.../install, <githubUrl>
  • Boundary markers: Absent; the skill writes downloaded content directly to the file system and triggers a cache refresh.
  • Capability inventory: File writing (open('w').write), directory creation (os.makedirs), and command execution (npx, curl).
  • Sanitization: Absent; there is no validation or filtering of the content being downloaded or the file paths used for storage.
Recommendations
  • HIGH: Downloads and executes remote code from: https://skills-market-gateway.fly.dev/skills/search?q=QUERY - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 18, 2026, 03:10 AM
Security Audit — agent-trust-hub — @554/skill-installer