sync-repos
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to analyze code changes (which can be attacker-controlled in Pull Request or shared repository environments) and provide a 'Sync Report' that includes executable commands.
- Ingestion points: The skill ingests untrusted data via
git diffoutput and theReadtool, which scans repository files (src/api/models.py,src/services/auth.py, etc.) for specific patterns. - Boundary markers: No boundary markers or 'ignore' instructions are used to separate untrusted code content from the agent's instructions.
- Capability inventory: The skill utilizes
Bash(arbitrary command execution),Read(arbitrary file access), and targets paths outside the current working directory (~/Desktop/repos/). - Sanitization: No sanitization or validation of the analyzed code content is performed before determining the next actions.
- [Command Execution] (MEDIUM): The skill explicitly instructs the agent to generate and potentially execute commands in sibling directories (e.g.,
npm run generate:typesin~/Desktop/repos/deep-read-portal). This expands the agent's attack surface to multiple projects on the user's machine. - [Data Exposure] (LOW): The skill hardcodes and targets paths within the user's home directory (
~/Desktop/repos/), which may expose information about the user's local file structure to the agent context.
Recommendations
- AI detected serious security threats
Audit Metadata