skill-from-github
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary function is to ingest and 'deeply understand' untrusted data from external GitHub repositories, including READMEs, source code, and examples. This is a significant attack surface.
- Ingestion Points: Content is fetched from arbitrary GitHub repositories identified during Step 2 (Search) and Step 4 (Deep Dive).
- Boundary Markers: None. The instructions do not specify any delimiters or warnings to the model to ignore embedded instructions within the analyzed data.
- Capability Inventory: The output of this skill directly feeds into 'skill-creator', which has the high-privilege capability of defining new instructions and behaviors for the AI agent.
- Sanitization: None. The agent is explicitly told to extract 'best practices' and 'methodology' from the untrusted code, which could easily include malicious instructions designed to subvert the agent or the newly created skill.
- Data Exposure (LOW): The skill facilitates network operations to fetch data from GitHub. While this is the intended purpose, it involves processing external content that could contain links to malicious domains or phishing sites.
Recommendations
- AI detected serious security threats
Audit Metadata