gh-interactome
Fail
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The Python script in
SKILL.mdimplements aget_contributorsfunction that executes shell commands usingsubprocess.run(cmd, shell=True). The command string is constructed using an f-string that interpolates therepovariable without sanitization, allowing arbitrary command execution if a malicious repository name is provided. - [COMMAND_EXECUTION]: Recipes in the
justfilesection, such asgh-interactome-author login:, interpolate arguments directly into shell commands:gh api users/{{login}}. A crafted input containing shell metacharacters could allow an attacker to execute unauthorized commands on the user's system. - [DATA_EXFILTRATION]: The combined presence of command injection and network-enabled tools (the
ghCLI) creates a high risk of data theft. An attacker could use an injected command to read sensitive local files like~/.ssh/id_rsaor.envand transmit them to a remote server. - [INDIRECT_PROMPT_INJECTION]: This skill presents an attack surface for indirect prompt injection by processing untrusted data from the GitHub API without adequate security controls.
- Ingestion points: External data enters the context through
gh apicalls in theget_contributorsfunction andjustrecipes. - Boundary markers: The skill lacks delimiters or explicit instructions to the agent to treat API responses as untrusted content.
- Capability inventory: The environment includes high-privilege capabilities such as
subprocess.run(shell=True)and file system access. - Sanitization: There is no evidence of validation or escaping performed on external data before it is processed by shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata