box
Fail
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's 'Prepare subagent' is instructed to execute shell commands including
mkdir,git clone, andgit pull. These commands incorporate theurlandslugvariables, which are derived from user input. This pattern creates a potential command injection vulnerability if the underlying agent platform does not sanitize these variables before shell execution.\n- [COMMAND_EXECUTION]: The 'Persist subagent' is authorized to write to and modify theAGENTS.mdfile in the user's working directory, which is a file system persistence mechanism that could be misused if provided with malicious metadata.\n- [EXTERNAL_DOWNLOADS]: The skill is designed to download code from arbitrary external sources (GitHub, GitLab, Bitbucket, etc.) based on user-provided URLs. This behavior involves fetching untrusted content from unverifiable sources into the local environment.\n- [DATA_EXFILTRATION]: The searching and summarization process reads files from external repositories and extracts data into the agent's context. This process can lead to the exposure of sensitive information found within the repositories.\n- [PROMPT_INJECTION]: The skill contains an indirect prompt injection attack surface.\n - Ingestion points: External git repositories cloned to the
./sandbox/directory.\n - Boundary markers: The instructions do not define any delimiters or warnings to ignore instructions found within the processed repository files.\n
- Capability inventory: The skill can perform shell commands (
git), read local files, and write to the localAGENTS.mdfile.\n - Sanitization: There is no mention of sanitizing or validating repository content before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata