find-skills

Warn

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes shell commands through npx skills to perform search, installation, and management tasks for external modular packages.
  • [EXTERNAL_DOWNLOADS]: The npx skills add command downloads executable code from external sources, including GitHub repositories and the npm registry.
  • [REMOTE_CODE_EXECUTION]: The skill encourages the installation and execution of remote packages. Specifically, it instructs the agent to use the -y flag (npx skills add <package> -g -y), which bypasses confirmation prompts and may lead to the silent execution of unverified code.
  • [PROMPT_INJECTION]: The skill presents search results from an external registry (skills.sh) to the user. This creates a surface for indirect prompt injection, where malicious package metadata or descriptions could attempt to influence the agent's instructions or deceive the user.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 23, 2026, 06:06 AM
Security Audit — agent-trust-hub — find-skills