read-github
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted content from GitHub repositories which can contain malicious instructions. Evidence: 1. Ingestion points:
fetch-docs,search-docs, andsearch-codeinSKILL.md. 2. Boundary markers: None specified to separate repo content from agent instructions. 3. Capability inventory: Access to a tool-calling interface (scripts/gitmcp.py call) and an arbitrary URL fetcher (fetch-url). 4. Sanitization: No sanitization or filtering of documentation content is implemented. - Data Exfiltration & Privacy (MEDIUM): Repository documentation and search queries are routed through
gitmcp.io, a third-party service not on the trusted whitelist. This exposes potentially sensitive repo structures or queries to an external provider. - Command Execution (LOW): The skill executes a local Python script
scripts/gitmcp.py. While the script logic is opaque in the provided file, it exposes a CLI interface for the agent to interact with system tools.
Recommendations
- AI detected serious security threats
Audit Metadata