github-codebase-search
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The script
scripts/github-codebase-search.pydownloads the@morphllm/morphmcppackage from the NPM registry at runtime using thebunxcommand. - [REMOTE_CODE_EXECUTION]: The skill executes the
@latestversion of an unverified NPM package (@morphllm/morphmcp) within a subprocess. Since the package version is not pinned and the source organization is not pre-verified, this introduces a supply chain risk where the remote package could be modified to include malicious payloads. - [PROMPT_INJECTION]: The
SKILL.mdfile contains the directive: 'DO NOT read script source code. Run scripts directly and use --help for usage.' This is a concealment pattern that explicitly instructs the agent to execute code without performing the standard safety verification of inspecting the source content. - [COMMAND_EXECUTION]: The Python script uses
subprocess.runto execute shell commands, includingmcporter,bunx, andshutil.whichchecks. This capability allows the skill to interact with the host system's shell environment directly. - [PROMPT_INJECTION]: The skill processes untrusted data from external GitHub repositories, which constitutes an indirect injection surface.
- Ingestion points: The script
scripts/github-codebase-search.pyretrieves and displays contents from public GitHub repositories. - Boundary markers: No specific boundary markers or instructions are provided to the agent to treat the fetched repository content as untrusted data.
- Capability inventory: The skill can execute shell commands and install/run remote packages through the
subprocess.runcalls in the search script. - Sanitization: The skill does not implement sanitization or validation of the file contents retrieved from the GitHub API before presenting them to the agent.
Audit Metadata