gco-research
Warn
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: User-provided content, such as the research topic and slug, is interpolated directly into shell commands. In Step 3, the instruction executes
bash $HOME/.claude/skills/gco/scripts/gco-run.sh "<research prompt>". If the user input contains shell metacharacters and the agent fails to escape them, this allows for arbitrary command execution. - [EXTERNAL_DOWNLOADS]: In Step 7, the skill executes
pnpm dlx @takazudo/mdx-formatter. This command fetches and runs code from the public NPM registry at runtime. While the package belongs to the author, executing unpinned code from a public registry introduces a supply chain risk. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests data from the web via Copilot output or a researcher subagent and synthesizes the findings. The instructions lack boundary markers or explicit directives to ignore instructions embedded within the researched content.
- Ingestion points: Copilot output logs and subagent research results in
SKILL.md. - Boundary markers: None identified.
- Capability inventory: Shell access (bash), Node.js execution, and file system writes.
- Sanitization: None identified.
Audit Metadata