plugin-research
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): High surface area for Indirect Prompt Injection. The skill specifically instructs the agent to fetch and parse external content from GitHub (READMEs, CHANGELOGs, and Issues) to generate investigation reports and recommendations. Maliciously crafted content in these public repositories could attempt to influence the agent's logic or behavior.
- Evidence Chain (Category 8):
- Ingestion points:
WebFetchtargets such ashttps://github.com/{owner}/{repo}/blob/main/README.mdandhttps://github.com/{owner}/{repo}/releases(defined ingithub-patterns.md). - Boundary markers: None specified in the extraction prompts; the agent is asked to directly summarize and extract changes from raw text.
- Capability inventory:
Bashexecution,Grep, and file reading capabilities across local Neovim configurations. - Sanitization: No explicit sanitization or instruction to ignore embedded directives in the fetched content is provided.
- [COMMAND_EXECUTION] (LOW): Uses
nvim --headless -c "lua ..."to execute Lua code for environment introspection. While used for legitimate diagnostics (checking if a plugin is loaded or inspecting configuration), this represents dynamic code execution. If the agent interpolates untrusted plugin names into these templates without validation, it could lead to command injection within the Neovim environment. - [DATA_EXPOSURE] (SAFE): The skill reads Neovim configuration files like
lazy-lock.jsonand user.luafiles. This is consistent with the skill's stated purpose of 'local state' research. No patterns indicating the exfiltration of this data to external domains were found.
Audit Metadata