Skills
skills/lvlup-sw/exarchos/cleanup/Gen Agent Trust Hub

cleanup

Warn

Audited by Gen Agent Trust Hub on May 6, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands (git worktree remove .worktrees/<name> and git branch -d <merged-branch-x>) using variables derived from external VCS data. If branch names or worktree names contain shell metacharacters (e.g., ;, &, |), it could lead to arbitrary command execution on the host machine.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by ingesting untrusted data from PR comments and metadata via the exarchos_orchestrate MCP action. Attackers with access to the repository could embed malicious instructions in PRs to manipulate the agent's behavior during the cleanup process.
  • Ingestion points: Data enters the context via exarchos_orchestrate({ action: "list_prs" }) and exarchos_orchestrate({ action: "get_pr_comments" }) as described in SKILL.md and references/merge-verification.md.
  • Boundary markers: Absent. The instructions do not provide delimiters or warnings to ignore embedded instructions in the fetched data.
  • Capability inventory: The agent has capabilities to modify the file system via git shell commands and change workflow states via mcp__plugin_exarchos_exarchos__exarchos_workflow.
  • Sanitization: No sanitization, escaping, or validation of the branch names or PR content is performed before interpolation into shell commands or prompts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 6, 2026, 04:03 AM