try
Fail
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill implements a 'fetch and execute' pattern by downloading a SKILL.md file from a user-provided GitHub repository and instructing the agent to 'follow the instructions' within it. This enables the execution of unvalidated logic inside the agent's current session.
- [COMMAND_EXECUTION]: The skill executes shell commands using the GitHub CLI (
gh api) andbase64to pull content from the internet into the agent's context. - [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by treating remote data as authoritative instructions.
- Ingestion points: Data is ingested from external
SKILL.mdfiles hosted on GitHub via thegh apicommand. - Boundary markers: None. The agent is explicitly told to treat the fetched content as a valid skill and obey its instructions.
- Capability inventory: The agent can run shell commands and interact with APIs, which loaded instructions could exploit.
- Sanitization: No validation or filtering is performed on the content retrieved from GitHub before processing.
Recommendations
- AI detected serious security threats
Audit Metadata