setup-repo
Warn
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive file paths including
.env,.env.default, and.env.example. It automates the reading and copying of these files from the repository root to newly created worktree directories (e.g.,reviews/,branchN/). While functional for development environment setup, it involves automated handling of credentials on the local filesystem. - [EXTERNAL_DOWNLOADS]: The skill executes
poetry installandpnpm installcommands within the worktree directories. These operations download and install external dependencies from public package registries (PyPI and NPM) based on the repository's configuration files, which could lead to the installation of malicious packages if used on an untrusted repository. - [COMMAND_EXECUTION]: The skill performs extensive shell command execution to manipulate the file system and Git state. This includes
git worktree add,git branch, directory creation, and running build tools such aspoetry run prisma generate. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it processes data from a local Git repository and executes high-capability tools.
- Ingestion points: Reads repository structure, branch names, and environment file templates.
- Boundary markers: None present to distinguish between trusted skill instructions and untrusted repository content.
- Capability inventory: Subprocess execution (git, poetry, pnpm, prisma), file system writes (cp), and directory creation.
- Sanitization: No explicit sanitization or validation of the repository source or file content is performed.
Audit Metadata