skills/plurigrid/asi/gh-interactome/Gen Agent Trust Hub

gh-interactome

Fail

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The Python script in SKILL.md implements a get_contributors function that executes shell commands using subprocess.run(cmd, shell=True). The command string is constructed using an f-string that interpolates the repo variable without sanitization, allowing arbitrary command execution if a malicious repository name is provided.
  • [COMMAND_EXECUTION]: Recipes in the justfile section, such as gh-interactome-author login:, interpolate arguments directly into shell commands: gh api users/{{login}}. A crafted input containing shell metacharacters could allow an attacker to execute unauthorized commands on the user's system.
  • [DATA_EXFILTRATION]: The combined presence of command injection and network-enabled tools (the gh CLI) creates a high risk of data theft. An attacker could use an injected command to read sensitive local files like ~/.ssh/id_rsa or .env and transmit them to a remote server.
  • [INDIRECT_PROMPT_INJECTION]: This skill presents an attack surface for indirect prompt injection by processing untrusted data from the GitHub API without adequate security controls.
  • Ingestion points: External data enters the context through gh api calls in the get_contributors function and just recipes.
  • Boundary markers: The skill lacks delimiters or explicit instructions to the agent to treat API responses as untrusted content.
  • Capability inventory: The environment includes high-privilege capabilities such as subprocess.run(shell=True) and file system access.
  • Sanitization: There is no evidence of validation or escaping performed on external data before it is processed by shell commands.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 21, 2026, 04:06 PM
Security Audit — agent-trust-hub — gh-interactome