project
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from external repositories which presents an indirect prompt injection surface. The
scripts/reunion.tsandscripts/index.tsfiles scan and read markdown files (.md) from cloned external repositories to update a knowledge base. Ingestion points:readdirSyncinscripts/reunion.tsandBun.file().text()inscripts/index.ts. Boundary markers: None identified. Capability inventory: The skill can execute shell commands (git,gh,ghq), write to the filesystem, and perform network operations via the GitHub CLI. Sanitization: No explicit sanitization of the content of the indexed files was detected. - [COMMAND_EXECUTION]: Multiple scripts execute shell commands by interpolating arguments directly into shell strings using the Bun shell operator (
$). For example,scripts/create.tsinterpolates a repository name into agh repo createcommand, andscripts/incubate.tsinterpolates a slug intogh repo view. While Bun provides some escaping, malicious input from external sources or crafted repository names could potentially lead to command injection. - [EXTERNAL_DOWNLOADS]: The skill downloads code and configuration from GitHub using
ghqand the GitHub CLI (gh). These operations target a well-known service and are consistent with the skill's primary purpose of project management. - [COMMAND_EXECUTION]: The skill relies on and interacts with the user's local
gh(GitHub CLI) authentication. It performs operations such as creating repositories, listing organizations, and querying API data on behalf of the user.
Audit Metadata