ci-monitor
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
ci-monitor.pyimplements arunhelper function that utilizessubprocess.run(shell=True). Several functions, includingfind_run,watch_run, andfetch_failed_logs, interpolate thebranchandrun_idvariables directly into shell command strings. Since thebranchvariable can be provided via the--branchCLI argument, an attacker could supply a branch name containing shell metacharacters (e.g.,;,&&, or backticks) to execute arbitrary commands on the host system. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from external CI logs. Ingestion points: The
fetch_failed_logsfunction inci-monitor.pyretrieves the last 3000 characters of output fromgh run view --log-failed. Boundary markers: No delimiters or instructions to ignore embedded commands are used when presenting this log data to the agent. Capability inventory: The skill can execute shell commands (viagh,git, andjj) and write to the filesystem (via sentinel files in/tmp). Sanitization: No filtering or escaping is applied to the log content before it is processed by the agent. A malicious actor could commit code that produces specific log output designed to manipulate the agent's behavior during the CI monitoring phase.
Audit Metadata