github-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Privilege Escalation] (HIGH): The skill (SKILL.md) instructs the agent to execute multiple commands with root privileges using
sudo, includingsudo apt install,sudo dd, andsudo tee. These are used to modify system repositories and install software, which are high-privilege operations. - [Data Exposure & Exfiltration] (HIGH): The skill (SKILL.md) explicitly references and provides logic for interacting with the user's private SSH key (
~/.ssh/id_ed25519). Accessing private cryptographic keys via an AI agent is a high-risk activity that could lead to credential exposure. - [Unverifiable Dependencies & Remote Code Execution] (LOW): The skill (SKILL.md) downloads a GPG keyring and repository setup from
cli.github.com. Per [TRUST-SCOPE-RULE], this is downgraded to LOW as the source is a trusted GitHub-affiliated domain. - [Data Exposure & Exfiltration] (MEDIUM): The skill includes instructions to use
sshto read files from external servers (e.g.,ssh lt4 "cat ..."). This capability allows the agent to retrieve potentially sensitive remote data into its context. - [Indirect Prompt Injection] (LOW): The skill reads external file content from remote servers via SSH without sanitization or boundary markers. This represents an attack surface where an attacker-controlled file could influence agent behavior.
- Ingestion points:
ssh lt4 "cat ..."(SKILL.md) - Boundary markers: Absent
- Capability inventory:
ssh,git,sudo,curl(SKILL.md) - Sanitization: Absent
Recommendations
- AI detected serious security threats
Audit Metadata