github-configure-package-managers
Fail
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The configuration templates for pip (pip.conf) and Go (GOPROXY) incorporate '{username}:{password}' placeholders directly within repository URLs. If an agent populates these with real credentials and follows the instruction to commit and push the changes, sensitive credentials will be exposed in the repository's Git history.
- [COMMAND_EXECUTION]: The skill performs shell operations to manage the repository lifecycle, including 'mktemp' for temporary directory creation, 'git clone' for repository retrieval, 'find' for locating Dockerfiles, and 'git push' to transmit modifications.
- [DATA_EXFILTRATION]: The workflow involves cloning remote repositories, performing automated edits, and pushing those edits back to the origin. This pattern could be leveraged to exfiltrate sensitive information if the agent is directed to process repositories containing secrets or if the modification logic is subverted.
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by ingesting and processing data from untrusted remote GitHub repositories.
- Ingestion points: The skill performs a 'git clone' on repositories specified in the 'github_repos' input.
- Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore embedded instructions within the cloned files.
- Capability inventory: The agent has the ability to execute shell commands ('git push', 'find'), modify files, and perform directory cleanup ('rm -rf').
- Sanitization: No sanitization or validation of the content within the cloned repositories is performed before processing (e.g., during Dockerfile 'FROM' rewriting).
Recommendations
- AI detected serious security threats
Audit Metadata