ci-orchestrator
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to run a sequence of shell commands including go fmt, golangci-lint, revive, go vet, gosec, and govulncheck. While these are standard development tools, they execute with the permissions of the agent.
- [REMOTE_CODE_EXECUTION]: In the 'Tests' step, the skill executes 'source setTestEnv.sh'. This instruction sources and executes the contents of a local file from the repository under analysis. If an attacker provides a repository with a malicious setTestEnv.sh, the agent will execute those commands.
- [REMOTE_CODE_EXECUTION]: The command 'go test -v -cover ./...' compiles and runs test code found in the repository. Maliciously crafted tests in an untrusted repository could result in arbitrary code execution during the testing phase.
Audit Metadata