Skills
skills/takazudo/claude-resources/sync-force-to/Gen Agent Trust Hub

sync-force-to

Pass

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a bundled bash script using an unquoted variable for arguments.
  • Evidence: The execution instruction bash $HOME/.claude/skills/sync-force-to/scripts/sync-force-to.sh $ARGUMENTS in SKILL.md does not quote the $ARGUMENTS variable.
  • Risk: This allows the shell to perform word splitting and globbing, which can lead to command injection if an attacker-controlled branch name containing shell metacharacters (e.g., ;, |, &) is processed.
  • [COMMAND_EXECUTION]: The skill performs destructive remote operations using the GitHub CLI and Git.
  • Evidence: The script scripts/sync-force-to.sh performs git push --delete on remote branches.
  • Mitigation: The skill includes instructions to the agent to always ask for user confirmation and implements a backup PR mechanism to allow for state recovery.
  • [PROMPT_INJECTION]: The skill contains an attack surface for indirect prompt injection during the configuration of GitHub Actions.
  • Ingestion points: The skill reads existing workflow files from .github/workflows/*.yml in the Setup mode defined in SKILL.md.
  • Capability inventory: The skill has the ability to modify these workflow files using the Edit tool.
  • Boundary markers: No delimiters or specific instructions to ignore embedded content are used when processing the workflow files.
  • Sanitization: The skill does not perform validation or sanitization of the existing workflow content before applying modifications.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 21, 2026, 11:10 PM
Security Audit — agent-trust-hub — sync-force-to