bootstrap
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Unsanitized Variable Interpolation. Phase 4 of the skill constructs a shell script by directly inserting the
REPO_URLandBRANCHvariables into a heredoc without escaping. A malicious repository or branch name containing shell metacharacters could result in arbitrary command execution when the generatedtmp/bootstrap-claude-session.shis run by the user. \n- [COMMAND_EXECUTION]: SSH Environment Manipulation. The skill executes commands to remove SSH control sockets (~/.ssh/control-*) and force the closure of GitHub SSH sessions. These operations modify the user's active SSH configuration and multiplexing state without explicit consent. \n- [CREDENTIALS_UNSAFE]: GitHub Token Exposure. The skill retrieves an authentication token usinggh auth tokenand embeds it directly into the git remote URL for cloning. This practice can expose the secret token in process monitoring tools, command history, or error logs if the git operation fails. \n- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. \n - Ingestion points: The skill reads repository and branch names from user-provided arguments (
-r,-b) and the output ofgit remote get-url originin Phase 1. \n - Boundary markers: No boundary markers or instructions are used to distinguish untrusted data from the script logic. \n
- Capability inventory: The skill has the ability to execute
Bashcommands andWritefiles to the local file system. \n - Sanitization: The skill lacks sanitization logic to escape or validate input variables before they are interpolated into executable shell scripts.
Audit Metadata