bot-tasks
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill establishes a persistence mechanism by instructing the user to add a recurring entry to the system crontab (
crontab -e). This entry executescron-bot-tasks.shevery 5 minutes to poll for and trigger task execution without manual oversight. - [COMMAND_EXECUTION]: The skill executes local scripts and commands, including
~/.claude/scripts/bot-tasks.sh,/setup-scripts, and the GitHub CLI tool (gh api), to gather notifications and modify repository state. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it parses and obeys instructions contained within the bodies of GitHub comments and mentions.
- Ingestion points: External comment bodies and notification data are ingested via the
gh apiand thebot-tasks.shscript. - Boundary markers: The skill lacks boundary markers or instructions to the agent to treat external comment text as untrusted data, increasing the likelihood that the agent will obey malicious instructions embedded in a comment.
- Capability inventory: The skill possesses powerful capabilities including full
gitoperations (cloning, worktree creation, committing, and pushing), repository management (creating pull requests, labeling, closing issues), and network communication with GitHub. - Sanitization: There is no evidence of sanitization, validation, or filtering of the external comment content before it is processed as a task request.
Recommendations
- AI detected serious security threats
Audit Metadata