github-multi-repo
Warn
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's architecture relies on cloning external GitHub repositories and then executing package management commands such as
npm install,npm update, andnpm testwithin those repositories. This pattern executes third-party code, including any lifecycle scripts defined in the externalpackage.jsonfiles, which could lead to arbitrary code execution in the agent's environment. - [COMMAND_EXECUTION]: Extensive shell command orchestration is performed using
Bashscripts to automate Git operations and interact with the GitHub CLI (gh). This includes discovery, cloning, and updating of multiple repositories programmatically. - [EXTERNAL_DOWNLOADS]: The skill automatically identifies and downloads source code from multiple external GitHub repositories to a local temporary directory for analysis and modification.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface (Category 8) due to its processing of untrusted external content:
- Ingestion points: It reads
package.json,CLAUDE.md, and repository metadata from various GitHub repositories. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to prevent it from acting on malicious instructions that might be embedded in these external files.
- Capability inventory: The skill possesses powerful capabilities including shell execution (
Bash) and the ability to modify and push files back to GitHub repositories. - Sanitization: The content of retrieved files is not sanitized or validated before being processed by the agent's logic.
Audit Metadata