apply-rules
Warn
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requests permission to execute broad and potentially destructive deletion commands:
Bash(rm -rf /tmp/*)andBash(rm -rf /var/folders/*). Instead of targeting specific temporary directories created during its operation, these commands are scoped to wipe the entire system-wide temporary folders, which could lead to significant data loss or system instability.\n- [COMMAND_EXECUTION]: Access toBash(gh api *)is requested, which allows for any arbitrary command via the GitHub CLI API. This provides the agent with full access to the user's GitHub account (as authorized by their local credentials), including the ability to modify or delete repositories and private data, which is far beyond the scope of fetching rule files.\n- [PROMPT_INJECTION]: The skill facilitates the fetching and merging of external markdown rules from arbitrary GitHub repositories into the project's rule set. This creates a surface for indirect prompt injection, where a compromised or malicious repository could inject instructions that override the agent's behavior, safety constraints, or project-specific principles during future interactions.\n - Ingestion points: Markdown rule files fetched from user-provided GitHub repositories or local paths.\n
- Boundary markers: None; external rules are merged into the target project's rule structure without isolation or warnings.\n
- Capability inventory: Includes
Writeaccess to the filesystem and broadBashexecution capabilities.\n - Sanitization: The skill does not validate or sanitize the fetched markdown content before integrating it into the project configuration.
Audit Metadata