learn
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands using a user-provided URL without sufficient sanitization. Variables such as $OWNER and $REPO are extracted from the input URL using sed and subsequently used in shell operations including mkdir -p and ln -sf. An attacker could craft a malicious URL to inject additional shell commands or attempt path traversal.\n- [EXTERNAL_DOWNLOADS]: The skill utilizes the ghq utility to clone remote repositories from user-supplied URLs. This involves downloading external, untrusted source code into the local environment for analysis.\n- [PROMPT_INJECTION]: The skill processes untrusted code through parallel sub-agents tasked with architecture and code analysis, which creates a significant surface for indirect prompt injection. Malicious instructions embedded in the analyzed codebase could be executed by the agents.\n
- Ingestion points: External source code files cloned via ghq and accessed through the origin/ symlink (SKILL.md).\n
- Boundary markers: Absent. Sub-agents are prompted to read the source code directly with no protective delimiters or instructions to ignore embedded commands.\n
- Capability inventory: Sub-agents have the capability to write generated markdown files to the local filesystem in the DOCS_DIR.\n
- Sanitization: Absent. The skill does not validate, filter, or sanitize the content of the files being read before they are processed by the sub-agents.
Recommendations
- AI detected serious security threats
Audit Metadata