Skills
skills/bgauryy/octocode/octocode-engineer/Gen Agent Trust Hub

octocode-engineer

Fail

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill is vulnerable to command injection in 'src/pipeline/affected.ts'. The 'getGitChangedFiles' function passes the 'revision' argument, which is taken directly from a user-provided CLI flag, into a template string executed by 'execSync' without any sanitization or validation. This allows an attacker to execute arbitrary shell commands if they can influence the revision string.
  • [EXTERNAL_DOWNLOADS]: The skill includes functionality in 'src/common/ensure-deps.ts' to automatically install its own native dependencies from the NPM registry during runtime. It executes 'npm install', 'yarn install', or 'pnpm install' based on detected lockfiles to ensure packages like 'typescript' and 'tree-sitter' are present before analysis begins.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 18, 2026, 04:45 AM
Security Audit — agent-trust-hub — octocode-engineer