github-research
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the Python
subprocessmodule to executegitandgh(GitHub CLI) commands for cloning repositories and interacting with the GitHub API. The implementation in scripts such asscripts/clone_repo.py,scripts/repo_metadata.py, andscripts/search_github.pyfollows security best practices by passing arguments as lists rather than using shell strings, which mitigates the risk of command injection from research metadata.- [EXTERNAL_DOWNLOADS]: The skill performs legitimate network operations to fetch repository data and research metadata from well-known services. Specifically, it clones repositories fromgithub.comand queries thepaperswithcode.comAPI to map papers to implementations. These downloads are intrinsic to the skill's function and target trusted domains.- [PROMPT_INJECTION]: The skill possesses a vulnerability surface for indirect prompt injection (Category 8). During Phase 4, the agent is directed to clone and deeply read source code from repositories identified through automated search. If an analyzed repository contains adversarial instructions hidden in code comments or documentation, the agent might inadvertently adopt those instructions. - Ingestion points: Repository content is cloned to the
phase4_deep_dive/repos/directory. - Boundary markers: There are no explicit instructions to use delimiters or defensive prompting when the agent reads the external code files.
- Capability inventory: The skill environment allows for subprocess execution, network access via
urllib, and file system modifications. - Sanitization: No content filtering is applied to the retrieved source files before they are presented to the agent for analysis.
Audit Metadata