reference-module
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands (
git submodule add,git submodule update) by interpolating parameters provided by the user, such as repository URLs, target paths, and branch names. - [EXTERNAL_DOWNLOADS]: The skill facilitates the cloning of external code repositories from arbitrary sources into the local development environment.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because its primary purpose is to "research" the contents of external repositories. An attacker could host a repository containing malicious instructions designed to be interpreted by the agent during the research phase.
- Ingestion points: Untrusted data enters the context via
git submodule add <repo-url>inSKILL.md. - Boundary markers: No specific delimiters or instructions are provided to help the agent distinguish between its system instructions and the content of the researched files.
- Capability inventory: The skill has the capability to execute shell commands and modify the local repository structure.
- Sanitization: The skill relies on manual user confirmation before executing the
gitcommands, but it does not sanitize or filter the content of the downloaded repository before the agent processes it.
Audit Metadata