create-blog-post-聆tw
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill executes
./switch-site.shlocated within the cloned repositoryjim60105/blog. Since this repository is not a trusted source, the script could be modified to perform arbitrary malicious actions on the host system.\n- [COMMAND_EXECUTION] (MEDIUM): Extensive use ofgitandghCLI commands to manage submodules, branches, and PRs. While intended for the workflow, these tools provide broad access to the user's filesystem and GitHub credentials.\n- [EXTERNAL_DOWNLOADS] (LOW): The skill clones a repository and submodules fromgithub.com/jim60105/blog. This source is not on the trusted organizations list, making its content unverifiable.\n- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection (Category 8) because it reads instructions from untrusted external files.\n - Ingestion points: Reads
AGENTS.mdand.github/instructions/quill-sage.instructions.mdfrom the cloned repository.\n - Boundary markers: Absent; the skill directs the agent to follow guidelines in these files without delimiters.\n
- Capability inventory: Subprocess execution (
./switch-site.sh), filesystem writes, and network operations (git push,gh pr create).\n - Sanitization: Absent; external instructions are processed directly as part of the writing and setup workflow.
Recommendations
- AI detected serious security threats
Audit Metadata