Skills
NYC
skills/bahayonghang/my-claude-code-settings/skill-seekers/Gen Agent Trust Hub

skill-seekers

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • DATA_EXFILTRATION (HIGH): The logic defined in src/skill_seekers/mcp/git_repo.py (specifically the inject_token method) automatically prepends sensitive authentication tokens to git URLs using the format https://TOKEN@github.com/.... This is a high-risk pattern because if the tool is directed to a malicious or non-whitelisted domain, the user's private token will be transmitted to the external server. Furthermore, tokens embedded in URLs are frequently leaked through shell history, log files, and monitoring systems.
  • COMMAND_EXECUTION (MEDIUM): The skill extensively uses subprocess.run and other command execution APIs (as documented in src/skill_seekers/cli/enhance_skill_local.py and src/skill_seekers/mcp/tools/packaging_tools.py) to interact with the local operating system, terminal applications, and external CLI tools like git and claude. While these are part of its primary codebase analysis function, the ability to execute commands in an environment that processes untrusted external data is a significant risk factor.
  • PROMPT_INJECTION (LOW): The skill has a large surface for Indirect Prompt Injection. It ingests untrusted data from URLs, GitHub repositories, and PDF files through modules such as codebase_scraper.py and github_fetcher.py. This content is then used to construct prompts for LLMs during 'enhancement' phases (e.g., _build_enhancement_prompt in claude.py). A malicious repository or document could contain hidden instructions that manipulate the output or behavior of the agent during skill generation.
  • Ingestion points: codebase_scraper.py, github_fetcher.py, and pdf_extractor_poc.py collect content from arbitrary external sources.
  • Boundary markers: No delimiters or safety instructions are mentioned in the API documentation for prompt construction.
  • Capability inventory: The skill can execute subprocesses, write to the filesystem (config_manager.py), and perform network operations (requests).
  • Sanitization: No evidence of sanitization or validation of external content before it is interpolated into LLM prompts.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 05:46 PM