about-oracle
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various shell commands including
git,ls, andcatto retrieve local metadata, commit history, and version information from the project's directory structure. - [COMMAND_EXECUTION]: It attempts to run a local TypeScript file located at
src/skills/oracle-family-scan/scripts/fleet-scan.tsusing thebunruntime to perform a fleet scan. - [EXTERNAL_DOWNLOADS]: Fetches remote data from GitHub using the
ghCLI tool, specifically retrieving repository lists and issue bodies from theSoul-Brews-Studioorganization to display live project statistics. - [PROMPT_INJECTION]: The skill processes untrusted content from a public GitHub issue (issue #60 in the
oracle-v2repository). This creates an indirect prompt injection vulnerability where an attacker could influence the agent's narrative by modifying the external issue content. - Ingestion points: Data is ingested from the output of
gh issue view 60 --repo Soul-Brews-Studio/oracle-v2withinSKILL.md. - Boundary markers: There are no explicit markers or safety instructions used to distinguish the fetched issue data from the agent's primary instructions.
- Capability inventory: The skill possesses the ability to execute shell commands, read local files, and perform network requests via the GitHub CLI across its defined logic.
- Sanitization: While the output is piped through basic filters like
grepandhead, there is no sanitization to prevent the AI from interpreting instructions embedded in the issue text.
Audit Metadata