gh-code-search
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill fetches and decodes content from external GitHub repositories using the GitHub API. This creates a large attack surface for Indirect Prompt Injection. A malicious repository could contain 'poisoned' code or markdown comments designed to hijack the agent's logic. \n
- Ingestion points: File contents retrieved via gh api and decoded via base64. \n
- Boundary markers: None present to isolate external code from the agent's system prompt. \n
- Capability inventory: High-privilege access via gh CLI (search, api, and potentially write operations) and local script execution. \n
- Sanitization: None. \n- COMMAND_EXECUTION (MEDIUM): The documentation instructs the agent to execute a local shell script at ./scripts/search_code.sh. Since this script is not provided in the skill package, its contents cannot be verified. This introduces a risk of executing unvetted or malicious code if a file with that name exists on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata