github-multi-repo
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash capability to execute shell commands like 'gh', 'npm', and 'git' across multiple local and temporary directories.
- [REMOTE_CODE_EXECUTION]: The skill logic includes cloning repositories to '/tmp/' and running 'npm test'. This behavior allows any code defined in the test scripts of those repositories to execute on the agent's host system.
- [EXTERNAL_DOWNLOADS]: The skill utilizes the GitHub CLI to download repository data and clone source code from external organizations.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by reading data from external repositories. 1. Ingestion points: The skill fetches 'package.json' and 'CLAUDE.md' files from GitHub via the 'gh api' command. 2. Boundary markers: No specific delimiters or safety instructions are used when interpolating this external content into the agent's context. 3. Capability inventory: The skill has extensive capabilities, including full Bash access, repository modification, and PR creation. 4. Sanitization: There is no evidence of filtering or sanitization of the content retrieved from external repositories before it is processed by the agent.
Audit Metadata