git-subtree-manager
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary purpose is to download external repository content into the
docs/directory for the agent to reference. This creates a massive attack surface where malicious instructions in a remote repository could influence the agent's behavior. - Ingestion points:
docs/directory populated viagit subtree addandgit subtree pull. - Boundary markers: None present. The agent is encouraged to read and reference these files directly.
- Capability inventory: High-privilege write operations including modification of
eslint.config.mjs,biome.json,.github/dependabot.yml, and critically, other.claude/skills/*/SKILL.mdfiles. - Sanitization: No validation or sanitization of the downloaded content or the repository URLs is performed.
- Command Execution (MEDIUM): The skill utilizes shell commands (
git subtree,git stash,rm -rf) that incorporate user-provided or agent-interpolated strings (<name>,<repo-url>,<branch>). While intended for git management, this allows the agent to execute operations on the filesystem with variables derived from potentially untrusted input. - External Downloads (MEDIUM): The skill downloads code from arbitrary remote URLs. While the examples provided are well-known libraries, the instruction set allows for any
<repo-url>to be used, and none of the example organizations are within the predefined Trusted External Sources scope.
Recommendations
- AI detected serious security threats
Audit Metadata