github-repo-init
Fail
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The documentation in
SKILL.mdrecommends an insecure installation and usage pattern:source <(curl -s https://example.com/github-repo-init.sh). This method executes remote code directly in the user's shell without prior inspection. - [COMMAND_EXECUTION]: The script
github-repo-init.shis vulnerable to command injection during the README generation phase. It uses an unquoted heredoc (cat > README.md << EOF ... $REPO_DESC ... EOF) to write the project description to a file. Since theREPO_DESCvariable is populated from user input and the shell performs command substitution inside unquoted heredocs, a malicious description containing backticks or$(...)syntax will execute arbitrary commands with the user's privileges. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through project metadata.
- Ingestion points: Reads the repository name from the current directory and accepts user-provided strings for project descriptions and topics via the
read -pcommand ingithub-repo-init.sh. - Boundary markers: None. Data is interpolated directly into shell commands and file templates without delimiters.
- Capability inventory: File system writes (
README.md), Git operations (git commit,git push), and GitHub API interactions (gh repo create,gh repo edit,gh api). - Sanitization: The repository name has regex validation, but the project description and topics are used in shell commands and templates without escaping, leading to the command execution vulnerability.
- [EXTERNAL_DOWNLOADS]: The skill's documentation suggests downloading and executing a shell script from an external URL (
example.com), which bypasses standard security reviews and could lead to system compromise if the source is malicious or hijacked.
Recommendations
- AI detected serious security threats
Audit Metadata