Skills
skills/simota/agent-skills/harvest/Gen Agent Trust Hub

harvest

Warn

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The helper script scripts/generate-report.js is vulnerable to command injection. It builds a command-line string for the GitHub CLI (gh) by directly concatenating the --repo and --author arguments. This string is then executed using child_process.execSync, allowing shell metacharacters in the arguments to trigger arbitrary command execution.
  • Evidence: Inside scripts/generate-report.js, the code uses cmd += \ -R \${options.repo}\; and then execSync(cmd, ...).
  • [COMMAND_EXECUTION]: The shell script scripts/html-to-pdf.sh contains command injection vulnerabilities. It constructs command strings for headless Chrome and wkhtmltopdf using input arguments and then executes them via bash -c. Because variables like INPUT_FILE and OUTPUT_FILE are not properly sanitized before being passed to a sub-shell, malicious filenames could lead to arbitrary code execution.
  • Evidence: In scripts/html-to-pdf.sh, the script defines local cmd=\"\\\"$chrome_cmd\\\" ... --print-to-pdf=\\\"$OUTPUT_FILE\\\" ...\\\"file://$INPUT_FILE\\\"\" and subsequently calls run_with_timeout \"$cmd\", which performs a bash -c \"$cmd\".
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8).
  • Ingestion points: The agent ingests untrusted data from GitHub PR titles, descriptions, and labels in the COLLECT and ANALYZE phases.
  • Boundary markers: No specific delimiters or instructions are used to ensure the agent ignores embedded instructions within the PR data.
  • Capability inventory: The skill has powerful capabilities, including shell command execution via local scripts and file system manipulation.
  • Sanitization: While the output scripts use escapeHtml for display, there is no validation or filtering of the content before it is interpreted by the agent's reasoning engine, allowing malicious PR metadata to influence agent behavior.
  • [SAFE]: The skill's primary dependencies—the GitHub CLI (gh), puppeteer, and chart.js (via a well-known CDN)—are reputable and appropriate for the skill's stated purpose of PR data visualization and reporting.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 30, 2026, 10:14 AM