repo-watch
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes shell commands to run a local helper script (~/.claude/scripts/repo-watch.sh), interface with the GitHub CLI (gh), and modify the project's CLAUDE.md configuration file.
- [EXTERNAL_DOWNLOADS]: Performs cloning of remote repositories from GitHub using the gh repo clone command, which is the primary intended function of the skill.
- [PROMPT_INJECTION]: Identifies an indirect prompt injection surface where external inputs influence the agent's execution flow.
- Ingestion points: The skill ingests repository metadata and user reactions (emoji responses) from GitHub via the GitHub CLI API.
- Boundary markers: There are no explicit delimiters used to encapsulate or identify external data to prevent it from being interpreted as instructions by the agent.
- Capability inventory: The skill possesses the capability to execute shell commands, clone external source code, and perform write operations on the local configuration file CLAUDE.md.
- Sanitization: While the skill filters reactions using the owner_account login, it does not explicitly sanitize the repository names or organization strings retrieved from external sources before they are used in shell command construction.
Audit Metadata