copilot-sdk
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill encourages the installation of packages from public registries, such as 'github-copilot-sdk' and '@github/copilot-sdk'. These packages do not currently match official GitHub releases, and the documentation references non-existent model versions (e.g., gpt-4.1, claude-sonnet-4.5), which indicates the source may be unverifiable or untrustworthy.
- [COMMAND_EXECUTION]: The installation guide instructs users to execute shell commands (e.g., 'npm install', 'pip install', 'go get', 'dotnet add') to download and install external code directly onto their local system.
- [PROMPT_INJECTION]: The architecture for the 'Interactive CLI Assistant' is vulnerable to indirect prompt injection.
- Ingestion points: Untrusted user data is ingested through 'readline.question' (TypeScript) and 'input()' (Python) functions.
- Boundary markers: No delimiters or safety instructions are used to separate user input from the system prompt.
- Capability inventory: The system includes custom tool execution (e.g., 'get_weather') and MCP server integration, which can be exploited if the model is manipulated.
- Sanitization: The skill lacks any input validation or sanitization before passing user data to the LLM.
Audit Metadata