Skills
skills/trevors/dot-claude/monitoring-ci/Gen Agent Trust Hub

monitoring-ci

Fail

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script ci-monitor.py is vulnerable to shell injection because it uses subprocess.run(shell=True) with unvalidated input.
  • Evidence: The run function in ci-monitor.py executes commands in a shell. The main function interpolates the --branch argument (which can be provided by a user via the agent) directly into command strings, such as f"gh run list --branch {branch} --limit 1 ...".
  • Risk: An attacker can provide a branch name containing shell metacharacters (e.g., main; rm -rf /) to execute arbitrary commands on the system.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing untrusted data from GitHub Actions logs.
  • Ingestion points: The fetch_failed_logs function in ci-monitor.py reads data from gh run view {run_id} --log-failed.
  • Boundary markers: None. The logs are printed directly to standard output where the agent reads them.
  • Capability inventory: The agent has the ability to execute shell commands, read/write files, and perform other system operations.
  • Sanitization: There is no sanitization or filtering of the log content. Malicious instructions embedded in failed CI logs (e.g., in a test failure message) could be interpreted by the agent as legitimate instructions.
  • [COMMAND_EXECUTION]: The skill uses predictable temporary file paths in a world-writable directory.
  • Evidence: The sentinel_path function in ci-monitor.py uses /tmp/{name}-ci-monitor.
  • Risk: A local attacker could create this file to cause a denial-of-service for the monitor or use symlinks to trick the script into writing to or deleting other files.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 19, 2026, 02:08 PM