fetch-ci-build
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core functionality involves ingesting and acting upon untrusted data from external CI logs.\n
- Ingestion points: The skill fetches build logs and job outputs from Buildkite (
scripts/fetch_buildkite_failures.py), CircleCI (scripts/fetch_circleci_failures.py), and GitHub Actions (references/github.md).\n - Boundary markers: There are no explicit delimiters or system instructions defined to prevent the agent from following instructions embedded within the logs.\n
- Capability inventory: The skill encourages the agent to propose and apply code fixes based on log parsing, and can trigger the
systematic-debuggingskill for further action.\n - Sanitization: While the scripts use regex for pattern matching and truncate logs to 500 characters, these measures do not sanitize the content against malicious natural language instructions.\n- [COMMAND_EXECUTION]: The skill executes local git commands for environment discovery.\n
- Evidence:
scripts/fetch_buildkite_failures.pyandscripts/fetch_circleci_failures.pyusesubprocess.runto callgit branch --show-currentandgit remote get-url origin. These calls use static arguments and are restricted to retrieving project metadata.\n- [DATA_EXFILTRATION]: The skill manages sensitive API tokens and performs network operations to CI provider domains.\n - Evidence: The skill requires
BUILDKITE_API_TOKENandCIRCLECI_TOKENto function. All identified network requests are directed to official, well-known service endpoints includingapi.buildkite.com,buildkite.com, andcircleci.comfor the purpose of fetching build artifacts.
Audit Metadata