octocode-researcher
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) due to its core function of ingesting and analyzing untrusted external content.
- Ingestion points: External code content is read via 'githubGetFileContent' and 'githubSearchCode' (SKILL.md), while package metadata is retrieved via 'packageSearch' (SKILL.md).
- Boundary markers: There are no explicit instructions or delimiters in SKILL.md to distinguish between the agent's system instructions and content found within processed code.
- Capability inventory: The skill possesses significant capabilities, including local and external file access (SKILL.md), repository cloning (SKILL.md), and shell execution via fallbacks (references/fallbacks.md).
- Sanitization: No sanitization or validation of the ingested external content is specified in the skill logic.
- [EXTERNAL_DOWNLOADS]: Tools such as 'githubCloneRepo' and 'githubSearchRepositories' in SKILL.md are used to fetch content from GitHub. This is fundamental to the skill's research capabilities but involves fetching data from third-party sources.
- [REMOTE_CODE_EXECUTION]: The setup instructions in SKILL.md recommend using 'npx -y octocode-mcp' to install the required MCP server. This involves downloading and executing code from the npm registry.
- [COMMAND_EXECUTION]: Tier 2 and Tier 3 fallback paths described in references/fallbacks.md utilize shell commands like 'gh', 'git', 'rg', and 'find' for discovery and analysis when primary MCP tools are not available.
Audit Metadata