go-create-repository
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill interpolates user-provided module and entity names directly into file system paths (e.g., internal/modules//ports/_repository.go) without validation or boundary markers. This creates a high-risk surface for indirect prompt injection where an attacker could provide names containing path traversal sequences (../) to overwrite sensitive files.
- [COMMAND_EXECUTION] (MEDIUM): The workflow instructions require the agent to run make lint and make nilaway. Since the Makefile is part of the local environment and not controlled by the skill, this allows for the execution of arbitrary shell commands defined in the Makefile.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The generated Go templates reference external repositories (github.com/cristiano-pacheco/pingo and github.com/cristiano-pacheco/bricks) which are not included in the trusted organizations list, posing a risk of executing code from unverified sources.
Recommendations
- AI detected serious security threats
Audit Metadata