search-github
Fail
Audited by Snyk on Jul 5, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.90). The prompt explicitly instructs the subagent to use mode "bypassPermissions", which tells the agent to circumvent access controls and potentially exfiltrate unauthorized data—an instruction outside the benign GitHub-search purpose and therefore a prompt injection.
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). This prompt instructs the agent to fetch and "report the results back ... exactly as returned" from a GitHub search, which can include verbatim secrets (API keys, tokens, passwords) found in repository content, enabling secret exfiltration.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). At runtime the required workflow calls the
github-searchersubagent to search GitHub and then returns the agent’s results verbatim; GitHub content (issues/PRs/comments/wiki text) is outsider-authored free text that the subagent will ingest and pass into the LLM context.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt explicitly tells the agent to call a subagent with mode "bypassPermissions," which directs the agent to circumvent permission/security checks even though it doesn't ask for sudo or file changes.
Issues (4)
E004
CRITICALPrompt injection detected in skill instructions.
W007
HIGHInsecure credential handling detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata