Skills
skills/simota/agent-skills/Harvest/Gen Agent Trust Hub

Harvest

Fail

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: Unsafe shell command construction in scripts/generate-report.js. The script uses child_process.execSync to execute GitHub CLI (gh) commands, where input arguments such as --repo and --author are appended directly to the command string without sanitization or escaping. This allows for arbitrary shell command injection if an attacker can influence these parameters.
  • [REMOTE_CODE_EXECUTION]: The command injection vulnerability in scripts/generate-report.js enables arbitrary code execution on the system where the agent invokes the report generation utility.
  • [EXTERNAL_DOWNLOADS]: The reporting templates and sample reports (templates/client-report.html and samples/client-report-2026-01-31.html) load the Chart.js library from an external CDN (https://cdn.jsdelivr.net/npm/chart.js).
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 11, 2026, 03:18 AM