Skills
skills/sickn33/antigravity-awesome-skills/copilot-sdk/Gen Agent Trust Hub

copilot-sdk

Fail

Audited by Gen Agent Trust Hub on Mar 20, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill enables the execution of arbitrary local commands through its Model Context Protocol (MCP) integration configuration.
  • Evidence: The configuration schema for mcpServers allows users to specify a command and args (e.g., command: "npx"), which provides a direct vector for local process creation and execution.
  • [REMOTE_CODE_EXECUTION]: The skill promotes the use of npx to dynamically download and execute remote packages at runtime.
  • Evidence: Examples show the use of npx -y @modelcontextprotocol/server-filesystem, which fetches and runs code from the NPM registry without local verification.
  • [EXTERNAL_DOWNLOADS]: The skill instructs the user to install several packages that use naming conventions mimicking official GitHub software, despite being authored by a community user.
  • Evidence: Installation commands for @github/copilot-sdk (NPM) and github-copilot-sdk (PyPI) are provided. This is high-risk as it may lead users to install unverified code under the assumption of official provenance.
  • [DATA_EXFILTRATION]: The skill allows the configuration of external CLI servers and remote MCP endpoints, which can facilitate the transmission of session data to unauthorized third-party locations.
  • Evidence: Configuration fields like cliUrl and http type MCP servers (e.g., https://api.githubcopilot.com/mcp/) allow the agent to send data to external network addresses.
  • [PROMPT_INJECTION]: The skill exposes a significant surface for indirect prompt injection by ingesting local filesystem data and feeding it into an LLM session without sanitization or boundary markers.
  • Ingestion points: The filesystem MCP server (referenced in SKILL.md) allows the agent to read and process the content of local files.
  • Boundary markers: No delimiters or "ignore embedded instructions" warnings are present in the code examples provided to isolate untrusted file content.
  • Capability inventory: The skill combines filesystem access (via MCP), arbitrary command execution (via npx), and network operations (via the SDK client).
  • Sanitization: There is no evidence of input validation, escaping, or filtering of content read from the filesystem before it is interpolated into the session prompt.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 20, 2026, 01:18 PM