repo-hunter
Fail
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Step 4 of the core workflow explicitly directs the agent to install and run arbitrary tools found via search queries. The instructions include using package managers such as 'pip', 'npm', and 'apt', or performing a 'direct download' of code for execution. This behavior facilitates the execution of unverified and potentially malicious code from unknown external sources.
- [EXTERNAL_DOWNLOADS]: The skill encourages the agent to download software from any GitHub repository matching user-defined search queries. The evaluation criteria in Step 3 (stars and commit frequency) provide no guarantee of security, safety, or code integrity.
- [COMMAND_EXECUTION]: The skill requires the agent to execute shell commands to install and invoke third-party tools, which could lead to system-level impact or privilege escalation depending on the environment's permissions.
- [PROMPT_INJECTION]: The skill has a high vulnerability surface for indirect prompt injection. 1. Ingestion points: Content from arbitrary GitHub repositories (including README files and documentation) is fetched and processed by the agent (SKILL.md Step 2 and 3). 2. Boundary markers: The skill contains no instructions to ignore or delimit embedded commands or instructions within the external data. 3. Capability inventory: The skill possesses extensive capabilities, including package installation and command execution. 4. Sanitization: No sanitization or validation of the external content or the downloaded code is prescribed before it is executed.
Recommendations
- AI detected serious security threats
Audit Metadata