github-repo-management

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill attempts to locate and read authentication tokens from sensitive local file paths including ~/.hermes/.env and ~/.git-credentials. This behavior is a necessary prerequisite for the skill to perform authorized operations on the user's GitHub account.
  • [EXTERNAL_DOWNLOADS]: Performs network operations targeting the official GitHub REST API at api.github.com. These operations are consistent with the skill's stated purpose of repository management and target a well-known technology service.
  • [COMMAND_EXECUTION]: Uses python3 as a utility to parse JSON responses from API calls. The skill executes static Python code via the -c flag (e.g., python3 -c "import sys,json; ...") to extract specific fields like usernames or repository details. This pattern was identified by automated scanners as a potential remote code execution vector, but manual review confirms it is a safe data-parsing implementation using local, hardcoded scripts.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 01:45 PM
Security Audit — agent-trust-hub — github-repo-management