tg

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The bootstrap script auth.sh uses sudo to create a symlink in the system-wide /usr/local/bin directory, which represents a request for elevated administrative privileges on the host system.
  • [COMMAND_EXECUTION]: The skill executes a bundled binary (bin/tg) and a shell script (auth.sh) distributed within the skill's file structure.
  • [DATA_EXFILTRATION]: The skill instructions direct the agent to read the user's SSH public key from the sensitive file path ~/.ssh/id_ed25519.pub and transmit it to the Tangled service during registration.
  • [CREDENTIALS_UNSAFE]: The skill retrieves and processes sensitive ATProto/Bluesky app passwords from environment variables (ATPROTO_APP_PASSWORD and BSKY_APP_PASSWORD). While standard for this protocol, these secrets are handled by the local bootstrap script.
  • [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface by processing untrusted content from external Tangled issues and pull requests.
  • Ingestion points: Data fetched via tg issue view and tg pr view from external repositories.
  • Boundary markers: No specific delimiters or safety instructions are provided to the agent to distinguish between platform data and user instructions.
  • Capability inventory: Execution of local scripts/binaries, network communication, and repository cloning into the local workspace.
  • Sanitization: The skill lacks explicit sanitization or validation mechanisms for content retrieved from external sources before it is processed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 04:24 PM
Security Audit — agent-trust-hub — tg