Skills
skills/athola/claude-night-market/plugin-review/Gen Agent Trust Hub

plugin-review

Pass

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's orchestration logic for identifying affected plugins relies on parsing output from git diff and interpolating the resulting strings directly into shell commands.\n
  • Evidence: In modules/dependency-detection.md, the command git diff main --name-only | grep '^plugins/' | sed 's|^plugins/\\([^/]*\\)/.*|\\1|' | sort -u is used to determine which plugins to audit. These names are subsequently used in modules/tier-branch.md in commands such as python3 plugins/abstract/scripts/validate_plugin.py plugins/<plugin> and cd plugins/<plugin> && make test.\n
  • Risk: If a repository contains a directory with a name containing shell metacharacters (e.g., plugins/$(touch RCE)/), the agent might execute arbitrary commands when performing the automated checks.
Audit Metadata
Risk Level
SAFE
Analyzed
May 9, 2026, 07:38 AM