github-to-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) as it parses content from untrusted external sources to define agent behavior. Ingestion points: GitHub repository files (README, documentation, source code) via
generate_skill_template.py. Boundary markers: Absent; no instructions are provided to the agent to distinguish between its own logic and data found in the repository. Capability inventory: File system writes, subprocess execution viapython3, and network access via the GitHub API. Sanitization: Absent; the skill lacks mechanisms to filter or escape instructions embedded in the analyzed repositories. - COMMAND_EXECUTION (MEDIUM): The workflow relies on executing local Python scripts that take external repository names and search queries as arguments, which could be exploited for command injection if the scripts do not implement strict input validation.
- REMOTE_CODE_EXECUTION (HIGH): The skill is designed to automatically generate executable scripts and package them based on content fetched from remote GitHub repositories, facilitating the introduction of untrusted code into the agent's environment.
- CREDENTIALS_UNSAFE (LOW): Documentation encourages the use of
GITHUB_TOKENenvironment variables. While standard for API access, this presents a risk of credential exposure if the agent's process environment or command history is accessed.
Recommendations
- AI detected serious security threats
Audit Metadata