skills-manager
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes multiple shell commands via the npx skills utility to perform registry searches and manage local skill installations.
- [EXTERNAL_DOWNLOADS]: Automatically downloads the skills CLI package from the npm registry and fetches skill content from external GitHub repositories during addition or update operations.
- [REMOTE_CODE_EXECUTION]: Facilitates the acquisition and subsequent execution of agent instructions or code from arbitrary remote GitHub repositories using the owner/repo@skill identifier format.
- [PROMPT_INJECTION]: Vulnerable to indirect prompt injection through the output of the npx skills find command. Maliciously crafted metadata in the skill registry could be used to manipulate the agent's logic during search and installation.
- Ingestion points: Results from npx skills find as processed in SKILL.md workflows.
- Boundary markers: None; the agent is instructed to parse and present CLI output directly without delimiters or instruction isolation.
- Capability inventory: Shell command execution and file system write access as described in the skill's commands.
- Sanitization: No verification of external skill identifiers, names, or descriptions is performed before they are integrated into the agent's context.
Audit Metadata