teach-oh
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill downloads a compiled binary (repo-native-alignment) from the author's GitHub repository, grants it executable permissions, and runs a setup command on the current project.
- [EXTERNAL_DOWNLOADS]: Fetches multiple files from external sources, including binary releases and raw script files from the author's GitHub organization (open-horizon-labs).
- [COMMAND_EXECUTION]: Uses shell commands to identify system architecture (uname, sysctl), create directories (mkdir), and modify file permissions (chmod) for downloaded assets.
- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it ingests untrusted data from the codebase to summarize project context.
- Ingestion points: Step 1 reads file contents and directory structures from the local project, including potentially attacker-controlled files like package.json or README.md.
- Boundary markers: Absent. The instructions do not specify using delimiters or ignore-instructions for the data gathered from the codebase.
- Capability inventory: The agent has shell execution, file system access, and network download capabilities available in the same session.
- Sanitization: Absent. Content read from the project files is processed by the AI without explicit sanitization or validation.
Audit Metadata