run-repo-cleanup
Warn
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill's instructions explicitly recommend hardcoding secrets into scripts if the project policy forbids
.envfiles and the repository is private. This practice directly violates security best practices regarding secret management and exposes sensitive credentials to anyone with access to the codebase. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from
git status,git diff, andgit log. An attacker could commit malicious payloads in branch names or commit messages which are then parsed by scripts likedraft-pr-body.pyand presented to the agent, potentially influencing its behavior during the cleanup process. The skill lacks sanitization or boundary markers for this external data. - [COMMAND_EXECUTION]: All utility scripts included with the skill (e.g.,
audit-state.py,retire-merged-branches.py) utilizesubprocess.runto execute shell commands. While these are necessary for interacting with Git and the GitHub CLI, they provide a powerful capability that could be exploited if malicious inputs were to influence command arguments. - [DYNAMIC_EXECUTION]: The script
audit-state.pyuses dynamic module loading via__import__("re")to initialize its regex patterns. This technique is often used to evade simple static analysis scanners and is considered a form of code obfuscation, even though it is used for the standard library here.
Audit Metadata