Skills
skills/btraut/skills-external/read-github/Gen Agent Trust Hub

read-github

Warn

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/gitmcp.py script uses subprocess.Popen to execute the npx command-line utility.
  • [EXTERNAL_DOWNLOADS]: The script executes npx -y mcp-remote, which automatically downloads the mcp-remote package from the NPM registry if it is not already installed locally.
  • [REMOTE_CODE_EXECUTION]: The skill connects to remote MCP servers (at gitmcp.io or arbitrary user-supplied URLs). These remote servers provide the tool definitions and logic that the agent subsequently executes.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes documentation from external GitHub repositories. Malicious instructions embedded in these repositories could be used to manipulate the agent.
  • Ingestion points: Data is fetched from gitmcp.io and arbitrary external URLs via the fetch-url command in scripts/gitmcp.py.
  • Boundary markers: No delimiters or safety instructions are used to separate fetched content from the agent's context.
  • Capability inventory: The skill can execute shell commands via subprocess, make arbitrary network connections, and read repository documentation and code.
  • Sanitization: There is no evidence of validation or filtering of the content retrieved from remote repositories before it is passed to the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 4, 2026, 08:45 PM