codebase
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
sync-depscommand includes an 'install' step that executes commands directly in the worktree. These commands are defined by the repository's configuration or code, allowing for the execution of arbitrary and potentially malicious scripts from external sources. - [COMMAND_EXECUTION]: The skill uses multiple bash tools including
git,gh,mkdir,cp, andln. While these are necessary for repository management, they present a risk of command injection if repository metadata, such as URLs or branch names, is manipulated by an attacker. - [DATA_EXFILTRATION]: The skill provides mechanisms to copy sensitive environment files (e.g.,
.env.exampleto.env) and perform symlinking of dependency directories. This handling of sensitive data, combined with the ability to push changes to remote repositories via theprcommand, creates a risk of accidental credential exposure. - [PROMPT_INJECTION]: The
analyzefeature is vulnerable to indirect prompt injection when processing content from external repositories. - Ingestion points: Source code files are read from external repositories during the execution of the
analyzecommand as described inreferences/implementation.md. - Boundary markers: There are no markers or system instructions defined to prevent the agent from following prompts embedded in the analyzed codebase.
- Capability inventory: The skill has access to
Bash,Write, andEdittools, enabling it to perform significant system actions based on interpreted instructions. - Sanitization: No validation or sanitization of the repository content is performed before the data is integrated into the agent's context and documentation output.
Audit Metadata