Skills
skills/bighardperson/computer-science-skills-collection/read-github/Gen Agent Trust Hub

read-github

Warn

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The script scripts/gitmcp.py uses npx -y to download the mcp-remote package from the public npm registry at runtime.
  • [REMOTE_CODE_EXECUTION]: By using npx -y mcp-remote, the skill executes code from an external registry. The package is not pinned to a specific version or hash, meaning the executed code could change without notice.
  • [COMMAND_EXECUTION]: The script scripts/gitmcp.py uses subprocess.Popen to execute shell commands (npx). While it passes arguments as a list, which prevents simple shell injection, the repository URL passed to the command is derived from user input and could be used for argument injection if it contains leading dashes or other control characters.
  • [PROMPT_INJECTION]: The skill is designed to ingest and process documentation and code from external GitHub repositories via the gitmcp.io proxy, creating an attack surface for indirect prompt injection.
  • Ingestion points: Repository documentation and code are fetched and printed to stdout in scripts/gitmcp.py (via fetch-docs, search-docs, and search-code commands).
  • Boundary markers: No boundary markers or 'ignore' instructions are present to delimit the external content from the agent's internal instructions.
  • Capability inventory: The skill has the capability to execute shell commands (npx) and fetch content from external URLs.
  • Sanitization: No sanitization, validation, or filtering of the fetched repository content is performed before it is provided to the agent context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 01:02 AM
Security Audit — agent-trust-hub — read-github