managing-work-dotfiles
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill executes Git commands that directly impact the user's $HOME directory. Commands like 'yadm-work checkout' or 'yadm-work pull' can overwrite critical configuration files (e.g., .bashrc, .ssh/config) with content from a remote repository.
- [DATA_EXFILTRATION] (HIGH): The skill provides instructions for staging and pushing files to a remote repository (git@ghe.spotify.net:thopper/dotfiles.git). An agent could be manipulated into adding sensitive files (like SSH keys, tokens, or .env files) and pushing them to the remote server.
- [EXTERNAL_DOWNLOADS] (HIGH): The skill clones a remote repository from an untrusted source (ghe.spotify.net). Since this domain is not in the trusted sources list, the content of this repository could be malicious.
- [PROMPT_INJECTION] (HIGH): Vulnerable to indirect prompt injection (Category 8). Ingestion points: files pulled or checked out from the remote Git repository. Boundary markers: None. Capability inventory: the skill has the ability to write to the user's $HOME directory and push data to a remote network location. Sanitization: None. The agent is encouraged to 'read and understand' the files, which increases the risk of obeying embedded instructions.
Recommendations
- AI detected serious security threats
Audit Metadata