Skills
skills/steipete/agent-scripts/github-author-context/Gen Agent Trust Hub

github-author-context

Warn

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands such as gh, git, and rg, along with a custom vendor script clawtributors. These commands interpolate user-controlled placeholders like <login>, <name>, and <owner/repo> directly into the command string. Without sanitization, this pattern is vulnerable to command injection if malicious strings are provided as GitHub identifiers.
  • [PROMPT_INJECTION]: The skill processes untrusted external data from GitHub profiles and pull requests without using boundary markers or sanitization. This creates a surface for indirect prompt injection where an attacker could influence the agent's behavior by embedding instructions in their GitHub account information.
  • Ingestion points: GitHub API responses and PR search results processed in SKILL.md.
  • Boundary markers: Absent.
  • Capability inventory: Shell execution of gh, rg, git, and local scripts as defined in SKILL.md.
  • Sanitization: None.
  • [PROMPT_INJECTION]: The skill includes instructions to bypass operations for specific user identities (e.g., steipete). Such logic can be a target for impersonation attempts.
  • [DATA_EXFILTRATION]: The skill accesses local files in ~/Projects/maintainers/ and ~/Projects/openclaw-maintainers/ to retrieve contributor notes. While intended for maintenance, this access could be exploited to expose sensitive data if the agent is manipulated via indirect prompt injection to search for other file types or paths.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 11, 2026, 06:37 AM
Security Audit — agent-trust-hub — github-author-context