Oathe Security Badge

Is agentskill-sh/learn safe?

https://github.com/agentskill-sh/learn

81
SAFE

This is a legitimate skill manager for the agentskill.sh ecosystem that allows searching, installing, and managing AI agent skills. While the skill itself appears safe and includes security scanning features, it represents a potential supply chain attack vector since it can install arbitrary skills from external sources.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (4)

MEDIUM Supply Chain Attack Vector -20

This skill acts as a package manager that can install arbitrary skills from agentskill.sh, creating a potential supply chain attack vector. While it includes security scanning, malicious skills could still be installed.

MEDIUM External API Dependency -15

The skill makes network requests to agentskill.sh API endpoints for searching, installing, and rating skills. This creates dependency on external infrastructure that could be compromised.

LOW Usage Data Transmission -10

The skill sends usage metrics, platform information, and skill ratings to external servers. While this appears legitimate, it represents data transmission outside the local system.

INFO Security Scanning Features 0

The skill includes comprehensive security scanning functionality that checks for malicious patterns in skills before installation, which is a positive security feature.