Skills
skills/b1tank/skills/clone-with-hash/Gen Agent Trust Hub

clone-with-hash

Warn

Audited by Gen Agent Trust Hub on Apr 4, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes shell commands (git clone, git checkout) and inline Python code using a heredoc in scripts/clone_with_hash.sh. While arguments are quoted, the execution of git clone on untrusted sources is an inherent risk vector for command execution via malicious git configurations or hooks.
  • [EXTERNAL_DOWNLOADS]: The skill performs network operations to download repository data from remote URLs using the git clone command.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing external repository data that could influence subsequent agent behavior.
  • Ingestion points: Repository paths or URLs provided to the cloning script as specified in SKILL.md and scripts/clone_with_hash.sh.
  • Boundary markers: No delimiters or isolation instructions are provided to separate the untrusted repository content from the agent's instructions.
  • Capability inventory: The skill uses git clone, git checkout, and subprocess execution of Python code to generate directory names.
  • Sanitization: No validation or sanitization of the repository content is performed after cloning.
  • [DATA_EXFILTRATION]: The skill allows cloning of arbitrary local directory paths without restriction. This capability can be abused to copy sensitive system or user directories (e.g., ~/.ssh, .env files) to new, potentially exposed locations, leading to unauthorized data exposure.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 4, 2026, 10:09 PM