github-repo-management
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill attempts to locate and read authentication tokens from sensitive local file paths including
~/.hermes/.envand~/.git-credentials. This behavior is a necessary prerequisite for the skill to perform authorized operations on the user's GitHub account. - [EXTERNAL_DOWNLOADS]: Performs network operations targeting the official GitHub REST API at
api.github.com. These operations are consistent with the skill's stated purpose of repository management and target a well-known technology service. - [COMMAND_EXECUTION]: Uses
python3as a utility to parse JSON responses from API calls. The skill executes static Python code via the-cflag (e.g.,python3 -c "import sys,json; ...") to extract specific fields like usernames or repository details. This pattern was identified by automated scanners as a potential remote code execution vector, but manual review confirms it is a safe data-parsing implementation using local, hardcoded scripts.
Audit Metadata