Skills
skills/cmkim/mj-download-test/art-repo-upload/Gen Agent Trust Hub

art-repo-upload

Warn

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill requires a service account key file named ace-art-repo-secret.json to be present in the project root. Hardcoding or requiring sensitive credential files in predictable locations increases the risk of accidental exposure or theft.
  • [DATA_EXFILTRATION]: The script reads files from the downloads/ directory and uploads them to an external Google Drive folder (ID: 1TVKblJrcQii4YHYMMons2bBokyGiClsH). While intended for art backups, this mechanism could be repurposed to exfiltrate any file placed in the monitored directories to an attacker-controlled Drive account.
  • [COMMAND_EXECUTION]: The documentation suggests executing the skill using pnpm exec tsx or node --import tsx/esm, which involves dynamic execution of TypeScript/JavaScript code. If the upload.ts file or its dependencies are tampered with, it could lead to arbitrary code execution on the host system.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 10, 2026, 01:20 AM