nightshift
Warn
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes content from external GitHub repositories, which creates a surface for indirect prompt injection. A malicious repository could contain instructions designed to manipulate the agent's behavior during analysis or implementation phases.
- Ingestion points:
nightshift.pyclones external repositories usinggit cloneand processes their contents. - Boundary markers: Prompts use section headers like
## Taskand## Instructionsfor structure, but lack explicit delimiters or instructions to ignore malicious content embedded within the files being analyzed. - Capability inventory: The agent has access to
subprocess.run(executing git, gh, and npx commands), file system access for reads/writes, and network access for API communication. - Sanitization: No sanitization is performed on the repository content before it is processed by the agent.
- [COMMAND_EXECUTION]: The
lint-doctor-fixtask instructs the agent to scan repository configuration files (such aspackage.jsonorMakefile) to identify and run project-specific linting or 'doctor' tools. This could lead to the execution of arbitrary scripts defined by a malicious repository on the host system. - [EXTERNAL_DOWNLOADS]: The skill uses
npxto download and execute external packages (afdocsandoptimo) from the npm registry at runtime. While these tools are used for their intended purposes (documentation scanning and media optimization), the practice of executing unversioned remote code introduces supply chain risks. - [COMMAND_EXECUTION]: The orchestrator script (
nightshift.py) makes extensive use of thesubprocessmodule to execute system commands, includinggitand the GitHub CLI (gh), for repository management and interaction with the GitHub API. - [DATA_EXFILTRATION]: The skill handles sensitive credentials, including a
GLM_API_KEYand a GitHub personal access token (GH_TOKEN). These tokens are used for legitimate communication with the Zhipu AI API (open.bigmodel.cn) and the GitHub API, but they represent high-value targets if the agent's context is compromised.
Audit Metadata