github-multi-repo
Warn
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill clones external repositories and executes
npm installandnpm testwithin them. This behavior allows for the execution of arbitrary code via package lifecycle hooks or malicious test scripts if a repository being managed is untrusted or has been compromised. - [COMMAND_EXECUTION]: The skill uses a
Bashfunction to execute complex shell commands for repository discovery, cloning, and automation. Examples include usinggh repo cloneinto/tmp/directories and executing piped logic to automate updates across multiple services. - [EXTERNAL_DOWNLOADS]: The skill uses the GitHub CLI (
gh) andnpmto fetch source code, API metadata, and package dependencies from remote servers (github.com and npm registries). - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection during its coordination and synchronization tasks.
- Ingestion points: Data is ingested from external repositories via
gh api,gh repo clone, and file reads ofpackage.jsonandCLAUDE.md. - Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands when the ingested data is passed to the AI swarm agents.
- Capability inventory: The skill has the capability to execute shell commands (
Bash), push files to GitHub repositories, and manage shared memory. - Sanitization: There is no evidence of sanitization or validation of the content retrieved from external repositories before it is processed by the AI agents.
Audit Metadata