octocode-engineer
Fail
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The --affected argument in scripts/run.js is vulnerable to shell command injection. The input is passed directly to execSync in src/pipeline/affected.ts without sanitization, allowing arbitrary command execution if a malicious string is provided to the scanner.\n- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it analyzes untrusted codebases and includes their content in its reports.\n
- Ingestion points: scripts/run.js and scripts/ast/search.js read any file in the target repository to extract patterns, metrics, and code snippets.\n
- Boundary markers: The skill produces structured output but lacks explicit delimiters or warnings to ignore instructions embedded in the analyzed code content before presenting it to the agent.\n
- Capability inventory: The skill can execute shell commands via execSync and perform extensive file system operations on the host machine.\n
- Sanitization: No sanitization or filtering of code content is performed before inclusion in the final report, allowing malicious instructions to reach the agent context.\n- [EXTERNAL_DOWNLOADS]: The skill automatically installs its own native dependencies from the NPM registry if they are missing at runtime via src/common/ensure-deps.ts. This uses official package managers and is a common pattern for distributing tools with native bindings, which is considered safe.
Recommendations
- AI detected serious security threats
Audit Metadata