bkt
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documents commands such as
bkt extension installandbkt extension exec, which enable the cloning and execution of code from remote Git repositories. - [DATA_EXFILTRATION]: The tool handles sensitive Bitbucket authentication tokens (PATs and OAuth tokens). While it implements measures to strip these from the environment before running extensions, the core functionality requires access to these credentials to interact with Bitbucket APIs.
- [EXTERNAL_DOWNLOADS]: The skill provides instructions for downloading the
bktCLI and its extensions from external sources, including GitHub and Bitbucket, with several references targeting the author's own repositories. - [PROMPT_INJECTION]: The skill provides an indirect prompt injection surface as it retrieves content from Bitbucket (e.g., Pull Request descriptions and Issue bodies) and possesses the capability to perform sensitive actions like merging code or executing extensions.
- Ingestion points: Untrusted data enters the agent's context through commands like
bkt pr view,bkt issue view, andbkt pr listwhich fetch information from external Bitbucket servers. - Boundary markers: Not present. The skill does not instruct the agent to use delimiters or specific warnings when processing data fetched from Bitbucket.
- Capability inventory: The skill allows the execution of shell commands, network operations via the
bkt apicommand, and the execution of external code through the extension system. - Sanitization: Not specified. Content retrieved from Bitbucket is not explicitly sanitized or validated before it is processed by the agent.
Audit Metadata