skill-find
Fail
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill workflow relies on fetching content from arbitrary GitHub repositories identified through web search results. This mechanism allows the agent to download third-party code that has not been vetted for security or authenticity.
- [REMOTE_CODE_EXECUTION]: The skill uses
skill_install_githubandskill_loadto integrate external code into the agent environment. It further encourages executing this unverified code usingskill_runif a demo is requested, creating a direct path for remote code execution from untrusted sources. - [COMMAND_EXECUTION]: The instructions direct the agent to identify and run entrypoint scripts such as
run.shor files within ascripts/directory from the downloaded skill. Executing shell scripts from unknown repositories is a high-risk operation that could lead to full system compromise. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and follows instructions from untrusted external data.
- Ingestion points: The skill reads
SKILL.mdfiles and directory structures from arbitrary GitHub repositories found viaweb_search(SKILL.md). - Boundary markers: No specific delimiters or instruction-isolation markers are used to separate untrusted external content from the agent's core instructions.
- Capability inventory: The skill has access to
skill_install_github,skill_load, andskill_run(SKILL.md), providing a powerful execution environment for potentially malicious payloads. - Sanitization: There is no evidence of sanitization, verification, or integrity checking of the downloaded content before it is processed or executed.
Recommendations
- AI detected serious security threats
Audit Metadata