uithub-fetcher
Fail
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to construct shell commands using user-supplied GitHub URLs and search parameters (e.g.,
npx uithub-cli "owner/repo?search=..."). These inputs are interpolated directly into command strings without sanitization requirements, allowing an attacker to inject shell metacharacters such as backticks or$()to execute arbitrary code on the host system.\n- [EXTERNAL_DOWNLOADS]: The skill relies onnpx uithub-cli, which automatically downloads and executes code from the npm registry at runtime. This introduces a dependency on external third-party code that is fetched and run during skill execution.\n- [CREDENTIALS_UNSAFE]: The documentation explicitly mentions that GitHub OAuth tokens are stored in~/.uithub/token.json. This provides a high-value target for exploitation; an attacker using the command injection vulnerability can easily locate and exfiltrate these credentials.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from external GitHub repositories (code, issues, and pull requests). \n - Ingestion points: GitHub repository contents fetched via uithub-cli (SKILL.md).\n
- Boundary markers: None provided to separate external content from agent instructions.\n
- Capability inventory: Shell command execution via npx (SKILL.md).\n
- Sanitization: No sanitization or validation of the fetched external content is described.
Recommendations
- AI detected serious security threats
Audit Metadata