create-blog-post-聆tw

Fail

Audited by Gen Agent Trust Hub on Feb 21, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (HIGH): The skill executes ./switch-site.sh located within the cloned repository jim60105/blog. Since this repository is not a trusted source, the script could be modified to perform arbitrary malicious actions on the host system.\n- [COMMAND_EXECUTION] (MEDIUM): Extensive use of git and gh CLI commands to manage submodules, branches, and PRs. While intended for the workflow, these tools provide broad access to the user's filesystem and GitHub credentials.\n- [EXTERNAL_DOWNLOADS] (LOW): The skill clones a repository and submodules from github.com/jim60105/blog. This source is not on the trusted organizations list, making its content unverifiable.\n- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection (Category 8) because it reads instructions from untrusted external files.\n
  • Ingestion points: Reads AGENTS.md and .github/instructions/quill-sage.instructions.md from the cloned repository.\n
  • Boundary markers: Absent; the skill directs the agent to follow guidelines in these files without delimiters.\n
  • Capability inventory: Subprocess execution (./switch-site.sh), filesystem writes, and network operations (git push, gh pr create).\n
  • Sanitization: Absent; external instructions are processed directly as part of the writing and setup workflow.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 21, 2026, 03:44 PM
Security Audit — agent-trust-hub — create-blog-post-聆tw