github-analysis
Warn
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local shell script named
./snapshot_live_filtered.shusing the bash command. This poses a security risk because the script's content is not managed by the skill itself, and executing it could allow arbitrary commands to run on the host system if the repository environment is untrusted. - [COMMAND_EXECUTION]: Untrusted data extracted from GitHub tickets, such as URLs and image paths, is used to construct shell commands for
curl,wget, andddev exec. A lack of input validation or sanitization at these points could lead to command injection if an attacker crafts a malicious GitHub issue. - [DATA_EXFILTRATION]: The skill facilitates downloading assets and databases from remote servers. If an agent is directed to a malicious production URL provided in a GitHub ticket, it could be tricked into sending local sensitive information or environment data to an attacker-controlled server using
curl,wget, orrsync. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted content from GitHub issues and uses it to perform powerful actions without sufficient safety boundaries.
- Ingestion points: The agent reads GitHub issue titles, descriptions, and comments via GitHub MCP tools.
- Boundary markers: No delimiters or instructions are used to separate untrusted ticket data from the agent's core instructions.
- Capability inventory: The skill has access to shell execution (
bash), container commands (ddev exec), filesystem modifications, and network operations (curl,wget,rsync). - Sanitization: There is no evidence that external inputs from tickets are escaped or validated before being used in shell contexts.
Audit Metadata