nightshift

Warn

Audited by Gen Agent Trust Hub on Jun 20, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill processes content from external GitHub repositories, which creates a surface for indirect prompt injection. A malicious repository could contain instructions designed to manipulate the agent's behavior during analysis or implementation phases.
  • Ingestion points: nightshift.py clones external repositories using git clone and processes their contents.
  • Boundary markers: Prompts use section headers like ## Task and ## Instructions for structure, but lack explicit delimiters or instructions to ignore malicious content embedded within the files being analyzed.
  • Capability inventory: The agent has access to subprocess.run (executing git, gh, and npx commands), file system access for reads/writes, and network access for API communication.
  • Sanitization: No sanitization is performed on the repository content before it is processed by the agent.
  • [COMMAND_EXECUTION]: The lint-doctor-fix task instructs the agent to scan repository configuration files (such as package.json or Makefile) to identify and run project-specific linting or 'doctor' tools. This could lead to the execution of arbitrary scripts defined by a malicious repository on the host system.
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to download and execute external packages (afdocs and optimo) from the npm registry at runtime. While these tools are used for their intended purposes (documentation scanning and media optimization), the practice of executing unversioned remote code introduces supply chain risks.
  • [COMMAND_EXECUTION]: The orchestrator script (nightshift.py) makes extensive use of the subprocess module to execute system commands, including git and the GitHub CLI (gh), for repository management and interaction with the GitHub API.
  • [DATA_EXFILTRATION]: The skill handles sensitive credentials, including a GLM_API_KEY and a GitHub personal access token (GH_TOKEN). These tokens are used for legitimate communication with the Zhipu AI API (open.bigmodel.cn) and the GitHub API, but they represent high-value targets if the agent's context is compromised.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 20, 2026, 09:06 AM
Security Audit — agent-trust-hub — nightshift