gastown
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the installation of software from external GitHub repositories (github.com/steveyegge/gastown and github.com/steveyegge/beads) via the 'go install' command, which is not from a pre-approved or trusted organization.\n- [REMOTE_CODE_EXECUTION]: The installation process involves downloading source code which is then compiled and executed as binaries ('gt' and 'bd'). This pattern allows for the execution of arbitrary code from an external, third-party provider on the host environment.\n- [COMMAND_EXECUTION]: The skill requires and uses unrestricted 'Bash' access to perform system setup, tool execution, and workspace management.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface.\n
- Ingestion points: Processes data from project repositories ('rigs') and receives task instructions via a simulated 'mail' system from other agents (Witness, Refinery) as seen in references/commands-(you-run-these).md.\n
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands within the external data are present in SKILL.md or the reference files.\n
- Capability inventory: The skill utilizes 'Bash(cmd:*)', 'Write', 'Edit', and 'WebFetch' tools as defined in SKILL.md.\n
- Sanitization: There is no evidence of sanitization, escaping, or validation of the content processed from beads or repository files before it influences agent actions.
Recommendations
- AI detected serious security threats
Audit Metadata