ghostpatch
Warn
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/ghostpatch.mjsis designed to automatically download and execute an NPM package (@sambhram06/ghostpatch) usingnpx --yes. This behavior bypasses user confirmation for the execution of remote code. - [COMMAND_EXECUTION]: The skill uses the
spawnSyncfunction to run system commands. It permits the execution path to be overridden by theGHOSTPATCH_CLIenvironment variable. If the environment is not properly isolated, this could be exploited to run malicious binaries. On Windows, the use ofshell: truefurther increases the surface for command injection. - [EXTERNAL_DOWNLOADS]: The skill relies on fetching an external engine from the NPM registry at runtime, which introduces a dependency on the security of the remote package and the registry itself.
- [DATA_EXFILTRATION]: The skill's workflow involves checking GitHub authentication status (
gh auth status) and managing sensitive data like workspaces, scan reports, and preferences within the~/.ghostpatch/directory. While necessary for its intended purpose, this represents a point of access to the user's GitHub environment. - [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: The skill ingests untrusted data by scanning external GitHub repositories and reading issue descriptions (
scan --live). - Boundary markers: There are no explicit instructions or delimiters in the skill to prevent the agent from following instructions that might be embedded within those GitHub issues.
- Capability inventory: The skill has broad capabilities including file system modification, command execution for testing, and the ability to raise pull requests.
- Sanitization: The workflow does not explicitly describe sanitization or filtering of external content before it is presented to the agent for decision-making.
Audit Metadata