Skills
skills/yeachan-heo/oh-my-codex/skill/Gen Agent Trust Hub

skill

Warn

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The /skill setup and /skill scan subcommands utilize shell scripts involving find, sh -c, grep, and sed to perform inventory and metadata extraction from markdown files in the ~/.codex/skills/ and .codex/skills/ directories.
  • [EXTERNAL_DOWNLOADS]: The /skill import feature allows the agent to download skill content from arbitrary user-provided URLs. While GitHub Gist is mentioned as a common use case, the functionality is not restricted to trusted sources.
  • [REMOTE_CODE_EXECUTION]: There is a potential risk of code execution through the processing of imported skills. If a maliciously crafted skill is imported with shell metacharacters in its metadata (like the 'name' or 'description' fields), the subsequent shell-based scanning logic used in the inventory process could potentially execute unintended commands.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 12, 2026, 09:43 AM