cc-actions

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill documents the use of lifecycle hooks such as PreToolUse and PostToolUse that execute shell commands to perform validation and formatting. For instance, patterns/hooks.md shows tool input being piped into shell commands using jq and xargs to run linters or formatters.
  • [PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from GitHub events, such as pull request descriptions, issue bodies, and comments, which are then interpolated into agent prompts. Documentation in official-docs/security.md acknowledges this risk and suggests sanitization techniques.
  • [EXTERNAL_DOWNLOADS]: Multiple examples in examples/README.md and official-docs/configuration.md demonstrate the use of npx to download and execute Model Context Protocol (MCP) servers and development tools like Prettier and ESLint at runtime.
  • [REMOTE_CODE_EXECUTION]: The combination of dynamic command execution in hooks and the ability to fetch and run external packages via npx constitutes a potential remote code execution vector if tool inputs are manipulated through indirect prompt injection.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 08:15 AM
Security Audit — agent-trust-hub — cc-actions