Skills
skills/soul-brews-studio/arra-oracle-skills/oracle-family-scan/Gen Agent Trust Hub

oracle-family-scan

Warn

Audited by Gen Agent Trust Hub on Mar 31, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions in SKILL.md interpolate variables like $QUERY and $ARGUMENTS directly into shell commands (e.g., bun $MOTHER/registry/query.ts "$QUERY"). This pattern creates a surface for command injection if the agent does not properly sanitize or escape user-provided input before execution.
  • [PROMPT_INJECTION]: The "welcome" flow (Mode 9) creates an indirect prompt injection surface by ingesting untrusted data from external sources to influence agent behavior.
  • Ingestion points: Reads issue titles, bodies, and author names from the Soul-Brews-Studio/arra-oracle-v3 repository using gh issue view (SKILL.md).
  • Boundary markers: None. There are no instructions or delimiters to help the agent distinguish between administrative metadata and potentially malicious instructions embedded in the birth stories.
  • Capability inventory: The skill uses bun for local script execution and gh for network operations, including posting comments and GraphQL mutations to GitHub.
  • Sanitization: No sanitization or validation is performed on the fetched text before the agent is asked to "reference specific metaphor + phrases" and "NOT be templated".
  • [EXTERNAL_DOWNLOADS]: The skill frequently uses the gh CLI and GraphQL API to fetch data from GitHub repositories belonging to the author (Soul-Brews-Studio) and related organizations. It also recommends using ghq get to clone the central registry repository if not present locally.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 31, 2026, 12:58 PM