repo-explorer
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands (including
git cloneandclaude -p) using user-provided inputs such as repository URLs, branch names, and analysis questions. This creates a risk of command injection if the agent fails to properly sanitize or quote these inputs. Additionally, the skill utilizes an inline environment variable override (CLAUDECODE=) specifically to bypass internal CLI constraints against running in nested sessions. - [EXTERNAL_DOWNLOADS]: The skill performs network operations to clone external codebases from arbitrary URLs provided by the user into the local execution environment.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection when analyzing untrusted repositories.
- Ingestion points: External code and documentation are ingested into the agent context via
git cloneas defined inSKILL.md(Workflow step 2). - Boundary markers: Absent. No delimiters or instructions to ignore instructions found within the code are provided in the workflow.
- Capability inventory: The agent can perform file system operations (
mktemp,rm -rf) and network downloads; the sub-agent is granted tools for file reading (Read), discovery (Glob,Grep), and restricted shell execution (Bash) inSKILL.md(Workflow step 3). - Sanitization: Absent. There is no mechanism to validate or filter repository content before it is processed by the agent.
- [DATA_EXFILTRATION]: The combination of network access (for cloning) and file read capabilities (for exploration) could be exploited to exfiltrate sensitive data if the agent is manipulated by malicious content within a repository or a crafted user question.
Audit Metadata