Skills
skills/famaoai-creator/gemini-skills/bug-predictor/Gen Agent Trust Hub

bug-predictor

Fail

Audited by Gen Agent Trust Hub on Feb 25, 2026

Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: Command injection vulnerability in the git churn analysis logic. The getChurnData function in scripts/predict.ts constructs a shell command using string interpolation of the since argument, which is a user-controlled parameter from SKILL.md. An attacker can provide a crafted string containing shell metacharacters (e.g., ;, &&, |) to execute arbitrary system commands with the privileges of the agent process. Evidence: execSync(git log --since="${since}" --name-only --pretty=format: -- ., ...).
  • [COMMAND_EXECUTION]: Unvalidated arbitrary file write via the out argument. The predict function in scripts/predict.ts uses fs.writeFileSync to save the analysis report to a file path specified by the user. There is no path validation or sandboxing, allowing an attacker to overwrite sensitive system configuration or user files (e.g., ~/.bashrc, /etc/passwd). Evidence: fs.writeFileSync(options.outPath, JSON.stringify(report, null, 2)).
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 25, 2026, 03:33 AM