gastown
Fail
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to install external software using Go commands (
go install github.com/steveyegge/gastown/cmd/gt@latestandgo install github.com/steveyegge/beads/cmd/bd@latest). These sources are personal repositories and are not from a recognized organization or official service provider, making the execution of these binaries a high-risk operation. - [COMMAND_EXECUTION]: The skill requires broad shell access (
Bash(cmd:*)) to manage the 'gastown' engine. It performs various system operations including installing tools, creating workshop directories (~/gt), and modifying local configuration files likeroutes.jsonl. - [EXTERNAL_DOWNLOADS]: During the setup flow, the skill logic encourages the ingestion of third-party projects via GitHub URLs provided by the user. This involves fetching and potentially executing content from external sources.
- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by processing content from external repositories.
- Ingestion points: External GitHub repositories provided by the user during rig configuration (
references/examples.md). - Boundary markers: None identified in the instructions to distinguish between trusted system commands and untrusted project data.
- Capability inventory: The skill has access to
Bash,Read,Write,Edit, andWebFetchtools, which could be exploited if malicious instructions are encountered in a project repo. - Sanitization: No validation, sanitization, or filtering steps are defined for external project content before the agent acts upon it.
Recommendations
- AI detected serious security threats
Audit Metadata