gha-security-review
Fail
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: CRITICAL
Full Analysis
- [EXTERNAL_DOWNLOADS]: The reference files (specifically references/real-world-attacks.md) contain URLs to known malicious domains such as recv.hackmoltrepeat.com and hackmoltrepeat.com. These are explicitly documented as indicators from the HackerBot Claw campaign to assist auditors in identifying compromised workflows.
- [REMOTE_CODE_EXECUTION]: The documentation includes several examples of remote code execution patterns (e.g., 'curl | bash' and Go 'init()' injections) used as templates for Proof of Concept (PoC) construction. These are used to demonstrate how an external attacker might exploit misconfigured workflows.
- [COMMAND_EXECUTION]: The skill requests access to the Bash and Task tools. This is consistent with its stated purpose of performing security audits, which may require running commands like grep, glob, or custom scripts to analyze workflow files and repository structure.
- [DATA_EXFILTRATION]: The references describe various techniques used by attackers to exfiltrate GITHUB_TOKENs or secrets, such as using curl or DNS exfiltration. These are documented to help auditors recognize and mitigate exfiltration risks in CI/CD pipelines.
Recommendations
- Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata