Skills
skills/openclaw/skills/github-kb/Gen Agent Trust Hub

github-kb

Pass

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: LOWEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis

================================================================================

🟡 VERDICT: LOW

This skill is primarily a documentation file (SKILL.md) describing how an AI agent can interact with GitHub using the gh CLI and manage a local knowledge base. The _meta.json file contains standard metadata and no malicious content.

Total Findings: 3

🔵 LOW Findings: • Unverifiable Dependencies (Trusted Source)

  • Line 30: brew install gh
  • The skill instructs the user to install gh CLI using package managers (brew, apt, winget). While these are external dependencies, gh CLI is an official and trusted tool from GitHub. The installation instructions also reference the official GitHub CLI documentation (https://github.com/cli/cli/blob/trunk/docs/install_linux.md), which is a trusted source. This finding is downgraded to LOW due to the trusted nature of the source. • Unverifiable Dependencies (Trusted Source)
  • Line 100: git clone https://github.com/<owner>/<name>.git
  • The skill instructs the user to clone GitHub repositories. This involves downloading code from an external source. However, the source is github.com, which is a trusted domain. This finding is downgraded to LOW due to the trusted nature of the source.

ℹ️ TRUSTED SOURCE References: • Trusted External Reference

  • Line 32: https://github.com/cli/cli/blob/trunk/docs/install_linux.md
  • Reference to the official GitHub CLI installation guide. • Trusted External Reference
  • Line 100: https://github.com/<owner>/<name>.git
  • Instructions to clone repositories from github.com.

================================================================================

Threat Category Analysis:

  1. Prompt Injection: No direct prompt injection patterns were found in the skill's instructions. However, the skill involves reading and processing external content such as GITHUB_KB.md and README files from cloned repositories. This introduces a risk of Indirect Prompt Injection if these files were to contain malicious instructions that an LLM might interpret. This is an inherent risk for skills that process external or user-controlled data.

  2. Data Exfiltration: No direct data exfiltration commands were detected. The skill advises secure handling of GITHUB_TOKEN by using environment variables, which is a good security practice. It does not instruct the exfiltration of sensitive local files.

  3. Obfuscation: No obfuscated content (e.g., Base64, zero-width characters, homoglyphs) was found in the SKILL.md or _meta.json files.

  4. Unverifiable Dependencies: The skill instructs the installation of gh CLI and cloning of repositories. These are external dependencies. However, both gh CLI and github.com are considered trusted sources. Therefore, these findings are downgraded to LOW/INFO.

  5. Privilege Escalation: No sudo, chmod 777, or other privilege escalation commands were explicitly instructed. The installation commands for gh CLI might require elevated privileges, but the skill does not explicitly use sudo in its examples.

  6. Persistence Mechanisms: No patterns for establishing persistence (e.g., modifying ~/.bashrc, crontab) were found.

  7. Metadata Poisoning: The _meta.json file and the metadata within SKILL.md are clean and consistent with the skill's described functionality.

  8. Indirect Prompt Injection: As noted above, the processing of GITHUB_KB.md and README files from potentially untrusted sources introduces a risk of indirect prompt injection. This is an informational finding, highlighting an inherent risk of the skill's design.

  9. Time-Delayed / Conditional Attacks: No time-delayed or conditional attack patterns were detected.

Adversarial Reasoning:

  • The skill's primary function is to enable interaction with GitHub and local files. The instructions are clear and do not appear to hide malicious intent.
  • The advice on GITHUB_TOKEN handling is a positive security indicator.
  • The external dependencies are from trusted sources, mitigating the risk associated with downloading unknown code.
  • The main residual risk is the potential for indirect prompt injection from content within cloned repositories or the GITHUB_KB.md file, which the agent would process.
Audit Metadata
Risk Level
LOW
Analyzed
Feb 12, 2026, 02:48 PM