github-repo-management
Fail
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructs the agent to access highly sensitive local credential files. \n
- Evidence: Provides an explicit example for uploading the user's private SSH identity key to GitHub:
gh secret set SSH_KEY < ~/.ssh/id_rsa. \n - Evidence: Attempts to extract authentication secrets from
~/.git-credentialsand~/.hermes/.env. \n- [COMMAND_EXECUTION]: The skill employs a pattern of piping network data directly into a programming language interpreter. \n - Evidence: Multiple shell commands in
SKILL.mdandreferences/github-api-cheatsheet.mdpipe output fromcurldirectly topython3 -cfor JSON processing. This pattern is vulnerable if the remote service (GitHub API) returns malicious content intended to exploit the parsing logic. \n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of attacker-controlled data from an external API. \n - Ingestion points: Fetches and displays repository names, descriptions, issue titles, and user metadata from the GitHub API using
curlandgh. \n - Boundary markers: None. Data is interpolated directly into printed output without delimiters or instructions for the agent to ignore embedded commands. \n
- Capability inventory: The skill has extensive permissions including reading sensitive local files, performing network requests, and executing arbitrary shell commands via
ghandgit. \n - Sanitization: None. There is no evidence of validation or escaping of the data retrieved from the external API before it is processed or rendered to the user.
Recommendations
- HIGH: Downloads and executes remote code from: https://api.github.com/user - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata