research-archival
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill includes logic to scan the local filesystem for sensitive credential files. Specifically, it searches the path
~/.claude/.secrets/for files matching the patterngh-token-*to retrieve GitHub authentication tokens. - [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute complex shell operations, including the use of heredocs to generate and run scripts. These scripts perform environment variable checks, network requests, and conditional system commands. - [REMOTE_CODE_EXECUTION]: The skill performs remote execution on a host named
littleblackvia SSH. It executes administrative commands such asdocker restarton specific service containers and inspects remote container logs. - [EXTERNAL_DOWNLOADS]: The skill initiates downloads from the external service
r.jina.aito convert web pages into markdown. It also makes POST requests to a local network endpoint172.25.236.1:3003to trigger scraping activities. - [PROMPT_INJECTION]: The skill processes untrusted content from the web, which creates a surface for indirect prompt injection.
- Ingestion points: Content is retrieved from arbitrary user-supplied URLs via
curland the Jina Reader service inSKILL.md. - Boundary markers: The scraped content is not isolated with protective delimiters when stored or used in subsequent operations.
- Capability inventory: The agent has the ability to execute bash commands, write files to the local repository, and create issues on GitHub.
- Sanitization: There is no evidence of content sanitization or validation before the scraped data is used to populate markdown files or GitHub issue bodies.
Recommendations
- AI detected serious security threats
Audit Metadata