ghwf0-remote
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a shell script located at
~/.claude/scripts/ghwf/ghwf-daemon.shusingtmux. Since the contents of this script are not included in the skill, its exact behavior and security cannot be verified. - [COMMAND_EXECUTION]: The skill uses system commands like
ps,grep,kill, andtmuxto manage background processes and monitor the status of 'Claude' execution logs. - [PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface as it triggers actions based on external content from GitHub.
- Ingestion points: The daemon monitors GitHub Issue and Pull Request labels, comments, and body descriptions for command triggers (e.g.,
ghwf:exec,ghwf:redo). - Boundary markers: There are no defined boundary markers or instructions to ignore malicious content within the issue body or comments being processed.
- Capability inventory: The skill possesses the ability to start background sessions, execute local scripts, and terminate system processes.
- Sanitization: While the documentation mentions a 'Collaborator-only' rule restricted to users with write access, the enforcement of this rule occurs within the external daemon script and cannot be validated by the agent.
Audit Metadata