github-stars-monitor
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The collector script 'collect.py' accesses the sensitive file path '~/.openclaw/gateway.env' to retrieve the 'GITHUB_TOKEN' credential.
- [PROMPT_INJECTION]: The skill processes untrusted content from GitHub user profiles (names, bios, and company fields) and interpolates it into subsequent tool calls and alerts without sanitization or boundary markers, creating a surface for indirect prompt injection.
- Ingestion points: Profile data is fetched in 'collect.py' via the 'fetch_user_profile' function.
- Boundary markers: No delimiters or ignore instructions are present when the agent processes the user data in 'SKILL.md' steps 3 and 4.
- Capability inventory: The agent uses the 'exa-search__web_search_advanced_exa' tool and generates notification messages.
- Sanitization: No validation or escaping of profile fields is performed before use.
- [PROMPT_INJECTION]: The instructions include specific command constraints designed to bypass security 'preflight blocks' and execution monitors.
Audit Metadata