find-skills
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands through
npx skillsto perform search, installation, and management tasks for external modular packages. - [EXTERNAL_DOWNLOADS]: The
npx skills addcommand downloads executable code from external sources, including GitHub repositories and the npm registry. - [REMOTE_CODE_EXECUTION]: The skill encourages the installation and execution of remote packages. Specifically, it instructs the agent to use the
-yflag (npx skills add <package> -g -y), which bypasses confirmation prompts and may lead to the silent execution of unverified code. - [PROMPT_INJECTION]: The skill presents search results from an external registry (
skills.sh) to the user. This creates a surface for indirect prompt injection, where malicious package metadata or descriptions could attempt to influence the agent's instructions or deceive the user.
Audit Metadata