public-repo-explorer
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from external repositories.
- Ingestion points: Workflow steps 2 and 4 in SKILL.md instruct the agent to clone a repository from a user-supplied URL and read files such as README.md and dependency manifests.
- Boundary markers: The instructions do not define boundary markers or provide 'ignore instructions' warnings to the agent when it reads external file content.
- Capability inventory: The skill utilizes mkdir, git clone, and rm -rf via the shell, alongside internal tools for file reading.
- Sanitization: There is no evidence of sanitization or validation of the content retrieved from the external repositories before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to execute shell commands to manage its workspace.
- Evidence: SKILL.md contains commands for directory creation (mkdir -p /tmp/agent-repo-scan), navigation (cd), and cleanup (rm -rf).
- [EXTERNAL_DOWNLOADS]: The skill downloads data from remote sources based on user input.
- Evidence: Step 2 of the workflow uses git clone with a user-provided <REPOSITORY_URL> to fetch external data to the local machine.
Audit Metadata