githacker-git-leak

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The URLs point to an untrusted target .git directory (which can expose arbitrary or malicious files and sensitive data) and a third‑party GitHub repository for a security tool — GitHub hosting lowers but does not eliminate risk, so these sources should be treated with caution (review code and run in a sandbox/Docker) and are moderately high risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content explicitly instructs how to exploit exposed .git directories to recover full repository history (including deleted commits, stash, branches, tags, reflog) enabling unauthorized data exfiltration and credential/API-key harvesting and notes running untrusted repo content in Docker due to potential malicious hooks (supply-chain risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md shows the tool fetches arbitrary public /.git/ directories (e.g., examples: "githacker --url http://target/.git/" and "--url-file websites.txt") and instructs the agent to read and act on the recovered repository contents (git checkout, grep for secrets), so untrusted third-party content could materially influence behavior or carry malicious instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires fetching and running the external GitHacker tool (e.g. repository https://github.com/WangYihang/GitHacker and its docker image wangyihang/githacker), which is clearly used at runtime and would execute remote code on the operator's host.