retro-private-skills

Warn

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes shell commands including git status, git commit, and git push to manage the lifecycle of skill files.
  • [COMMAND_EXECUTION]: During the optional 'Intake' step, the skill executes a local PowerShell script (scripts/Sync-CopilotSkillsToPrivateRepo.ps1) located within the target repository's path.
  • [DATA_EXFILTRATION]: In safe-auto mode, the skill performs automated git push operations without explicit user confirmation if the repository is 3 or more commits ahead of the origin. This could potentially exfiltrate conversation data or internal logic to a remote repository.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted content from logs, terminal history, and git diffs to generate or update SKILL.md instruction files.
  • Ingestion points: Untrusted data enters via error logs, Git diffs, conversation summaries, and terminal history (found in SKILL.md under 'Inputs').
  • Boundary markers: The skill lacks technical boundary markers or 'ignore' instructions for the ingested data, relying instead on high-level logic to extract 'Learnings'.
  • Capability inventory: The skill can write to .github/skills/ paths and execute shell commands (git, PowerShell scripts).
  • Sanitization: Instructions advise the agent to abstract data and avoid secrets, but there is no automated sanitization or validation of the input content before it is written to instruction files.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 24, 2026, 07:33 AM
Security Audit — agent-trust-hub — retro-private-skills