docs-submodule-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill executes
npm run setupif it exists in a repository'spackage.json. This is a critical vulnerability because an attacker-controlled repository can define any malicious shell command in the 'setup' script, which the agent will then execute without validation. - [DATA_EXFILTRATION] (MEDIUM): The workflow includes
git push origin master. While intended for documentation updates, this capability allows the agent to send files to an external server. If an attacker can trick the agent into committing sensitive files (e.g., SSH keys, .env files) to the submodule, they can successfully exfiltrate that data. - [COMMAND_EXECUTION] (MEDIUM): The skill uses multiple shell commands (
git,mkdir,grep) and dynamically constructs paths likedocs/$REPO_NAME. There is a risk of command injection if repository names or remote URLs are crafted maliciously to include shell metacharacters. - [INDIRECT_PROMPT_INJECTION] (HIGH):
- Ingestion points: Reads from
package.jsonand git metadata (remote URLs, repo names) from potentially untrusted local or remote repositories. - Boundary markers: Absent. The agent is not instructed to treat data from
package.jsonor git structure as untrusted. - Capability inventory: Includes arbitrary command execution (
npm run), network access (git push), and file system modifications (mkdir,git commit). - Sanitization: None. The script directly uses strings derived from the environment to execute system commands.
Recommendations
- AI detected serious security threats
Audit Metadata