gist
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The skill's primary function is to send local data (files, code blocks, command output) to an external service (GitHub). There are no restrictions on which files can be accessed, creating a high risk that sensitive information like SSH keys (
~/.ssh/id_rsa), configuration files (.env), or private credentials could be exfiltrated if the agent is manipulated or encounters malicious instructions. - [COMMAND_EXECUTION] (HIGH): The skill dynamically constructs shell commands using the
ghCLI. It relies on the agent to interpret user-provided filenames and descriptions. If these inputs are not strictly sanitized, they could be used for shell command injection (e.g., using a filename like; rm -rf /;). - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill possesses a 'High' capability tier for indirect prompt injection because it ingests untrusted data (file content and command output) and has a functional exfiltration capability (GitHub Gist creation). A malicious file being 'gisted' could contain instructions that trick the agent into gisting other, more sensitive files in subsequent steps.
- Ingestion points: Reads local files and command outputs (e.g.,
git diff) as input for gists. - Boundary markers: None. The skill does not implement delimiters or 'ignore' instructions for the content it processes.
- Capability inventory: Executes
gh gist createvia shell and creates temporary files in/tmp/. - Sanitization: None detected. The skill does not validate or sanitize the content, filenames, or descriptions before passing them to the shell.
Recommendations
- AI detected serious security threats
Audit Metadata