Skills
skills/jackspace/claudeskillz/hugo/Gen Agent Trust Hub

hugo

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • Unverifiable Dependencies & Remote Code Execution (HIGH): The skill instructs downloading the Hugo binary from 'gohugoio/hugo', which is not a trusted source.
  • Privilege Escalation (HIGH): The installation process requires 'sudo dpkg', granting root privileges to an unverified binary.
  • Unverifiable Dependencies & Remote Code Execution (HIGH): Integration of third-party themes via 'git submodule add' from 'adityatelange/hugo-PaperMod' introduces unverified code into the build process.
  • Indirect Prompt Injection (HIGH): High risk due to untrusted data ingestion (themes, CMS scripts) combined with build and deploy capabilities. Ingestion points: README.md (Git submodules, unpkg). Boundary markers: None. Capability inventory: 'hugo' build, 'wrangler' deploy, and 'init-hugo.sh' execution. Sanitization: None described.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 09:53 PM