repo-updater
Fail
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The troubleshooting documentation includes an installation command that pipes a remote script from an untrusted GitHub repository (Dicklesworthstone/repo_updater) directly into the bash shell.
- [COMMAND_EXECUTION]: The skill is designed to execute arbitrary shell commands through its quality gate system and supports custom pre_hook and post_hook commands defined in per-repository configuration files.
- [EXTERNAL_DOWNLOADS]: The skill interacts with the GitHub API to fetch PRs and issues and facilitates the download of remote repositories from various owners.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it automatically processes untrusted data from GitHub PR descriptions and uncommitted local code using AI agents with command execution capabilities.
- Ingestion points: Uncommitted file changes and GitHub issue or PR metadata.
- Boundary markers: Implements a file denylist and secret scanning but lacks explicit instruction isolation.
- Capability inventory: Executes git commands, tmux session management, and project-specific build or test scripts.
- Sanitization: Filters specific sensitive file patterns and performs basic secret scanning.
Recommendations
- AI detected serious security threats
Audit Metadata