librarian
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various git commands and shell scripts based on repository inputs provided by the user or discovered by the agent.
- [INDIRECT_PROMPT_INJECTION]: The skill provides a mechanism to ingest external data (git repositories). This creates an attack surface where a malicious repository could contain instructions designed to influence the agent's behavior during subsequent analysis of the cloned files.
- Ingestion points:
checkout.shclones remote repositories into~/.cache/checkouts/based on user-provided or discovered URLs. - Boundary markers: None identified in the provided scripts to distinguish between instructions and data within the cloned repositories.
- Capability inventory: The skill uses
git clone,git fetch, andgit mergeviasubprocessequivalents in bash. It also writes a timestamp to a tracking file (.git/librarian-last-fetch). - Sanitization: The
parse_repofunction performs basic parsing and trimming of the input URL/reference but does not sanitize the content of the files once they are cloned to the local system.
Audit Metadata