repo-explorer

Warn

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill interpolates user-provided data such as repository URLs, branch names, and questions directly into shell commands like git clone, cd, and claude -p. Maliciously crafted inputs could potentially lead to command injection if the agent fails to escape or sanitize the inputs effectively.
  • [EXTERNAL_DOWNLOADS]: The skill downloads content from arbitrary remote Git repositories (GitHub, GitLab, etc.) provided by the user via git clone. This brings untrusted code and data into the local environment for processing.
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection. 1) Ingestion point: Untrusted repository content is cloned into a temporary directory (SKILL.md). 2) Boundary markers: No delimiters or explicit instructions are used to isolate repository content from the sub-agent's logic. 3) Capability inventory: The sub-agent (claude -p) is granted access to tools like Read, Grep, and restricted Bash commands (SKILL.md). 4) Sanitization: No evidence of sanitization or filtering of the external repository content is present. While tools are limited to read-only access, malicious repository files could still influence the sub-agent to produce misleading or harmful analysis results.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 19, 2026, 02:33 PM
Security Audit — agent-trust-hub — repo-explorer