retro-private-skills
Warn
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands including
git status,git commit, andgit pushto manage the lifecycle of skill files. - [COMMAND_EXECUTION]: During the optional 'Intake' step, the skill executes a local PowerShell script (
scripts/Sync-CopilotSkillsToPrivateRepo.ps1) located within the target repository's path. - [DATA_EXFILTRATION]: In
safe-automode, the skill performs automatedgit pushoperations without explicit user confirmation if the repository is 3 or more commits ahead of the origin. This could potentially exfiltrate conversation data or internal logic to a remote repository. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted content from logs, terminal history, and git diffs to generate or update
SKILL.mdinstruction files. - Ingestion points: Untrusted data enters via error logs, Git diffs, conversation summaries, and terminal history (found in SKILL.md under 'Inputs').
- Boundary markers: The skill lacks technical boundary markers or 'ignore' instructions for the ingested data, relying instead on high-level logic to extract 'Learnings'.
- Capability inventory: The skill can write to
.github/skills/paths and execute shell commands (git, PowerShell scripts). - Sanitization: Instructions advise the agent to abstract data and avoid secrets, but there is no automated sanitization or validation of the input content before it is written to instruction files.
Audit Metadata