Skills
skills/base/skills/plugin-review/Gen Agent Trust Hub

plugin-review

Warn

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill guides the agent to execute code from third-party npm packages via npx and node during the optional live testing phase. This involves running potentially untrusted code defined in the plugin being reviewed.
  • [COMMAND_EXECUTION]: The workflow relies on several CLI tools (gh, curl, npm, npx, cast, node) that take parameters from the untrusted third-party plugins or Pull Request data.
  • [EXTERNAL_DOWNLOADS]: The skill performs network requests to fetch the Plugin Specification from a GitHub repository and encourages making requests to external, third-party API endpoints for verification purposes.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core function of processing untrusted content from GitHub Pull Requests and third-party files.
  • Ingestion points: Data is fetched using gh pr view, gh pr diff, and gh api from potentially attacker-controlled Pull Requests.
  • Boundary markers: There are no explicit instructions or markers to distinguish between the skill's own instructions and instructions potentially embedded within the third-party data being reviewed.
  • Capability inventory: The skill has access to tools capable of network exfiltration and remote code execution, including curl, gh, and npx.
  • Sanitization: No validation or sanitization of the fetched data is performed before it is processed by the agent or passed to sub-agents.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 22, 2026, 07:19 PM
Security Audit — agent-trust-hub — plugin-review