Security risk report for @forgecat/openai_skills_system-skill-installer v0.0.11
Source Integrity
Low
Profile claims authorship by OpenAI with a legitimate GitHub repository (openai/skills) and Apache-2.0 license.
Commit hash and timestamp provided; source appears traceable to a known public repository.
Agent Intent
INT-000Medium
The skill explicitly instructs the agent to install arbitrary code from external GitHub repositories, including private repos, which is a self-expanding capability that could be abused to install malicious skills.
The profile instructs the agent to use network-accessing scripts and request sandbox escalation, broadening the agent's authority beyond a simple listing task.
No direct prompt injection, credential exfiltration, or role-hijacking instructions are present; the concern is the open-ended 'install from any repo' design rather than explicit malicious directives.
Details
Evidence
"Install from another repo when the user provides a GitHub repo/path (including private repos)."
"All of these scripts use network, so when running in the sandbox, request escalation when running them."
The skill installer implicitly requires file_write and file_mutate authority to install skills into $CODEX_HOME/skills, but this is not explicitly declared in the profile's tool definitions.
The instruction to 'request escalation when running in sandbox' and the ability to install arbitrary code from external repos (including private ones) grants excessive agency — the agent can escalate privileges and execute untrusted code without explicit user consent per installation.
No declared tool restrictions or allowlist; the skill can install any skill from any GitHub repo path, creating a vector for supply-chain injection if the agent is socially engineered or if a curated list is poisoned.
Details
Evidence
"Installs into $CODEX_HOME/skills/<skill-name> (defaults to ~/.codex/skills)."
"All of these scripts use network, so when running in the sandbox, request escalation when running them."
"Install from another repo when the user provides a GitHub repo/path (including private repos)."
MCP Risk
Low
No MCP servers are declared in the profile.
The skill relies on local Python scripts (list-skills.py, install-skill-from-github.py) and GitHub API/git, not on MCP server definitions.
Details
Evidence
Profile field 'MCP servers (untrusted data)' lists: (none)