github-multi-repo

Warn

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill's architecture relies on cloning external GitHub repositories and then executing package management commands such as npm install, npm update, and npm test within those repositories. This pattern executes third-party code, including any lifecycle scripts defined in the external package.json files, which could lead to arbitrary code execution in the agent's environment.
  • [COMMAND_EXECUTION]: Extensive shell command orchestration is performed using Bash scripts to automate Git operations and interact with the GitHub CLI (gh). This includes discovery, cloning, and updating of multiple repositories programmatically.
  • [EXTERNAL_DOWNLOADS]: The skill automatically identifies and downloads source code from multiple external GitHub repositories to a local temporary directory for analysis and modification.
  • [PROMPT_INJECTION]: The skill has an indirect prompt injection surface (Category 8) due to its processing of untrusted external content:
  • Ingestion points: It reads package.json, CLAUDE.md, and repository metadata from various GitHub repositories.
  • Boundary markers: There are no explicit delimiters or instructions provided to the agent to prevent it from acting on malicious instructions that might be embedded in these external files.
  • Capability inventory: The skill possesses powerful capabilities including shell execution (Bash) and the ability to modify and push files back to GitHub repositories.
  • Sanitization: The content of retrieved files is not sanitized or validated before being processed by the agent's logic.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 14, 2026, 06:40 AM
Security Audit — agent-trust-hub — github-multi-repo