repo-explorer
Warn
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands by directly interpolating user-provided inputs such as the repository URL, local paths, and the user's question. This creates a high risk of command injection if the user provides input containing shell metacharacters (e.g., semicolons, backticks, or pipe operators).
- Evidence: The command
git clone --depth 1 <url> "$REPO_DIR"inSKILL.mdtakes the<url>directly from user input. - Evidence: The command
cd <repo_path> && CLAUDECODE= claude -p "<question>"inSKILL.mdinterpolates both the path and the question into a shell string. - [EXTERNAL_DOWNLOADS]: The skill performs remote downloads by cloning repositories from GitHub, GitLab, and Bitbucket. While these are well-known services, the automated cloning and processing of arbitrary external code represents a significant attack surface.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It clones external repositories and instructs a nested AI agent (Claude Code CLI) to analyze them. A malicious repository could contain files with hidden instructions designed to hijack the sub-agent's behavior.
- Ingestion points:
git clonedownloads external repository content into a temporary directory defined inSKILL.md(Workflow Step 2). - Capability inventory: The sub-agent is granted access to tools including
Read,Grep,Glob, and severalBashcommands (find,ls,git log, etc.) as seen in the--allowedToolsflag inSKILL.md(Workflow Step 3). - Boundary markers: Absent. The instructions do not define clear delimiters or "ignore instructions" wrappers for the external code being read.
- Sanitization: None. The content is read directly from the filesystem by the CLI tool.
Audit Metadata