drupalorg-contribution-helper
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill instructs the user to download an executable file from a third-party GitHub repository (
mglaman/drupalorg-cli) usingcurl -LO. This is an unverifiable dependency that could lead to remote code execution if the source is compromised. - REMOTE_CODE_EXECUTION (HIGH): The skill provides instructions to download, make executable, and run a remote script (
drupalorg.phar). While not a direct pipe to shell, it follows the same high-risk pattern of downloading and executing unverified remote code. - COMMAND_EXECUTION (HIGH): The skill includes the use of
sudo mvto move the downloaded executable into/usr/local/bin/. This constitutes privilege escalation, as it requires administrative rights to modify system directories. - DATA_EXFILTRATION (MEDIUM): The skill includes instructions to access and display private SSH public keys (
cat ~/.ssh/id_ed25519.pub). While intended for legitimate setup, displaying sensitive file contents in a chat interface creates a risk of accidental data exposure. - CREDENTIALS_UNSAFE (LOW): The 'HTTPS Fallback' section encourages users to construct URLs containing plaintext personal access tokens:
https://{username}:{token}@git.drupalcode.org/.... This can lead to credentials being leaked in shell history or environment logs.
Recommendations
- AI detected serious security threats
Audit Metadata