skills/oaustegard/claude-skills/bm25/Gen Agent Trust Hub

bm25

Warn

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill uses pickle.load() in scripts/bm25.py to deserialize index data stored in the local cache at /home/claude/.bm25-cache/. This is an unsafe practice because pickle can execute arbitrary code during the loading process. Although the cache is session-local, any compromise allowing file writes to that directory would lead to arbitrary code execution.
  • [COMMAND_EXECUTION]: The resolve_corpus function in scripts/bm25.py uses tarfile.extractall() to extract archives fetched from GitHub. This method is vulnerable to path traversal (Tar Slip), as it does not validate that archive members remain within the intended extraction directory, potentially allowing an attacker-controlled archive to overwrite sensitive files.
  • [EXTERNAL_DOWNLOADS]: The skill fetches repository archives from the GitHub API (api.github.com) when a user provides a GitHub URL. This functionality is part of the tool's intended search capabilities for remote repositories.
  • [PROMPT_INJECTION]: The skill indexes and displays text from untrusted external sources (such as uploaded files or remote repositories) and includes snippets in its output. It does not use robust boundary markers or sanitization, which creates a surface for indirect prompt injection if the corpus contains malicious instructions designed to be interpreted by the agent.
  • Ingestion points: scripts/bm25.py (the discover_files function reads all text-based files in the target corpus)
  • Boundary markers: Absent (snippets are displayed as indented text without clear delimiters or 'ignore' instructions)
  • Capability inventory: Shell access via the CLI, local file read/write (for caching), and network access for repository fetching
  • Sanitization: None identified for the content of the snippets
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 22, 2026, 06:02 AM
Security Audit — agent-trust-hub — bm25