Is killerapp/agentskills-io safe?

https://github.com/openclaw/skills/tree/main/skills/killerapp/agentskills-io

97
SAFE

This skill provides legitimate documentation and tooling for the agentskills.io standard for creating portable AI agent skills. The main security concern is a validation script that downloads and executes code from a remote repository, though this appears to be from a legitimate source.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (2)

MEDIUM Remote code execution in validation script -15

The validate-skills-repo.sh script uses uvx to download and execute code from a remote GitHub repository (github.com/agentskills/agentskills). While this appears to be a legitimate validation tool, it could pose a risk if the remote repository is compromised.

LOW Dependency on external validation service -10

The skill's validation functionality relies on downloading tools from an external repository, creating a supply chain dependency that could be exploited if the upstream repository is compromised.