github-workflow
Fail
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple CLI tools including git, gh, node, and npx. Most critically, it executes arbitrary commands stored in a local configuration file (~/.bonfire/source.json) which are dynamically updated during a task discovery phase. This architecture allows for the persistence and later execution of commands that may be influenced by external inputs.\n- [REMOTE_CODE_EXECUTION]: Through the discovery workflow, the skill runs
npx skills find <keyword>where the keyword is derived from untrusted task URLs or text provided by the user. This creates a vector for executing arbitrary npm packages. Additionally, it executes local Node.js scripts (query.mjs) with arguments derived from external data sources.\n- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8). It fetches task titles, descriptions, and comments from external platforms and interpolates them directly into a TODO.md file, which serves as the primary instruction set for a SubAgent without any protective boundaries or sanitization.\n - Ingestion points: Untrusted data enters the agent context via external task URLs and descriptions (documented in feature-task-retrieval.md).\n
- Boundary markers: Absent. The TODO.md template in feature-todo-spec.md contains no delimiters or warnings to ignore embedded instructions.\n
- Capability inventory: The skill has broad capabilities including shell execution (git, gh, node, npx), file system modification, and task delegation to SubAgents.\n
- Sanitization: None. The external content is placed directly into markdown files without escaping or validation.
Recommendations
- AI detected serious security threats
Audit Metadata