Skills
skills/davepoon/buildwithclaude/ops-orchestrate/Gen Agent Trust Hub

ops-orchestrate

Fail

Audited by Gen Agent Trust Hub on Apr 29, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill contains explicit instructions to override safety and consent protocols, such as 'No preamble', 'Execute immediately', and 'Do not ask for confirmation'. These instructions aim to force the agent into high-autonomy execution without user oversight for actions like merging and deploying code.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting data from external, untrusted sources including GitHub issues, Sentry errors, and Linear tickets. This data is used to dynamically construct tasks and commands.
  • Ingestion points: Sentry API (mcp__sentry__search_issues), Linear API (mcp__linear__list_issues), and GitHub CLI (gh issue list).
  • Boundary markers: None identified; untrusted data is processed directly into task descriptions and execution prompts.
  • Capability inventory: Full shell access (Bash), subagent spawning (Agent), and administrative merge capabilities (gh pr merge --admin).
  • Sanitization: No evidence of input validation or content filtering for external data before it is passed to orchestration logic.
  • [CREDENTIALS_UNSAFE]: The instructions direct the agent to harvest highly sensitive authentication secrets, including GITHUB_TOKEN, SENTRY_AUTH_TOKEN, LINEAR_API_KEY, and ANTHROPIC_API_KEY, from environment variables, the Doppler secret manager, or local password managers.
  • [COMMAND_EXECUTION]: The skill utilizes eval to execute 'quality_gate' strings stored in task metadata. Since these tasks are generated based on external project state and issue tracker descriptions, this creates a vector for arbitrary command injection.
  • [COMMAND_EXECUTION]: The orchestration logic specifically employs the --admin flag with the GitHub CLI (gh pr merge --admin) to bypass branch protections and administrative review requirements during the 'Ship' phase.
  • [DATA_EXFILTRATION]: The skill transmits sensitive authentication tokens to external service providers, including sentry.io and api.linear.app, to facilitate automated auditing and issue retrieval. While these are well-known services, the automated handling of bearer tokens in shell commands increases the risk of credential exposure in logs or local history.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 29, 2026, 06:48 AM