forgejo-cli-ops
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill presents a significant indirect prompt injection surface. Ingestion points: The skill interacts with external content from Forgejo repositories, including issue descriptions and pull request comments via 'fj repo view' or similar. Capability inventory: It has the ability to modify repositories, manage issues/PRs, and update authentication keys through the 'fj' CLI. Boundary markers: The skill documentation does not define any delimiters or instructions to help the agent distinguish between control logic and untrusted external data. Sanitization: No sanitization mechanisms are described for data retrieved from external Forgejo instances.
- [COMMAND_EXECUTION] (MEDIUM): The skill allows the agent to execute shell commands using the 'fj' and 'secret-tool' binaries. This capability can be weaponized if an attacker successfully injects instructions via repository content to manipulate command arguments.
- [CREDENTIALS_UNSAFE] (LOW): Documentation suggests using 'echo -n <PAT_VALUE> | secret-tool' to store tokens. While the storage is secure, the act of piping secrets through echo can expose them in process logs or shell history on certain operating systems.
Recommendations
- AI detected serious security threats
Audit Metadata