Skills
skills/bluzir/claude-code-design/ingest-github/Gen Agent Trust Hub

ingest-github

Fail

Audited by Gen Agent Trust Hub on May 2, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses variables parsed from a user-provided GitHub URL (owner, repo, ref, and slug) directly in Bash commands such as mkdir and gh repo clone. If these components are not properly sanitized, a malicious URL could be used to inject arbitrary shell commands (e.g., github.com/owner/$(whoami)).
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes content from untrusted external repositories. An attacker could place malicious instructions inside CSS, JavaScript, or JSON files in a repository which might be executed or followed by the agent during the extraction phase.
  • Ingestion points: Step 3 and 4 in SKILL.md (via Glob and Read operations on the cloned repository contents).
  • Boundary markers: Absent. The skill does not define delimiters or provide instructions to the agent to ignore embedded commands within the files.
  • Capability inventory: Write, Bash (mkdir, gh, rm, realpath, basename), and Read tools are available.
  • Sanitization: Absent. No filtering or validation of the ingested file content is performed before processing.
  • [EXTERNAL_DOWNLOADS]: The skill performs remote operations by cloning repositories from github.com. While GitHub is a well-known service, the skill downloads and stores untrusted code in the /tmp directory for analysis.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 2, 2026, 02:20 PM