Skills
skills/prorise-cool/prorise-claude-skills/devops-specialist/Gen Agent Trust Hub

devops-specialist

Fail

Audited by Gen Agent Trust Hub on Mar 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script references/domains/github-platform/core/setup/scripts/bash-aliases.sh uses cat >> "$BASHRC" to modify the user's shell configuration file (~/.bashrc) without explicit user intervention beyond running the command. Modifying persistent shell profiles is a high-risk persistence mechanism.
  • [EXTERNAL_DOWNLOADS]: The gh-bootstrap tool (defined in references/domains/github-platform/bootstrap/SKILL.md) clones numerous third-party GitHub repositories that are not from trusted organizations (e.g., stevemao/github-issue-templates, dec0dOS/amazing-github-template, othneildrew/Best-README-Template). These downloads occur at runtime and are used to populate the user's local repository.
  • [REMOTE_CODE_EXECUTION]: The gh-bootstrap execution logic in references/domains/github-platform/bootstrap/phases/04-execution.md downloads templates and then uses the agent to Read and Write them into the local project. This includes generating GitHub Actions workflows (.github/workflows/*.yml), which are executable CI/CD scripts. This pattern effectively executes remote configuration from untrusted sources.
  • [PROMPT_INJECTION]: The file references/domains/github-platform/core/setup/references/bashrc-claude.sh defines and promotes the use of shell aliases like claude-yolo and claude-cont-yolo which include the --dangerously-skip-permissions flag. This encourages bypassing built-in safety prompts and security controls.
  • [INDIRECT_PROMPT_INJECTION]: The bootstrapping workflow demonstrates a significant vulnerability surface for indirect prompt injection:
  • Ingestion points: references/domains/github-platform/bootstrap/phases/04-execution.md (Downloads and reads content from untrusted external repositories).
  • Boundary markers: Absent. The tool is instructed to copy content "exactly as is" from the templates.
  • Capability inventory: The skill uses Bash for cloning and Write for creating files in the local environment.
  • Sanitization: Absent. There is no validation or filtering performed on the content retrieved from the untrusted third-party repositories.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 16, 2026, 03:08 AM