prove-work
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill dynamically generates a Python Playwright script at '/tmp/prove-work/interact.py' based on an analysis of the current git diff and then executes it using 'python3'. This process creates and runs code at runtime that is directly influenced by the content of the repository.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because the agent uses untrusted repository data (via 'git diff') to determine how to demonstrate a feature. An attacker could craft a diff with instructions designed to manipulate the generated script.\n
- Ingestion points: Reads 'git diff --name-only' to identify changed files and infer routes for the demonstration.\n
- Boundary markers: There are no explicit markers or instructions used to distinguish repository content from the agent's internal instructions during script generation.\n
- Capability inventory: The agent can execute 'python3', 'git', and the 'gh' CLI (GitHub CLI), and has filesystem write access.\n
- Sanitization: No sanitization or validation of the data extracted from the git diff is performed before it is incorporated into the script generation process.\n- [EXTERNAL_DOWNLOADS]: The skill installs several Python packages ('playwright', 'av', 'pillow') and browser binaries ('playwright install chromium') if they are not detected in the environment. The 'video_to_gif.py' script performs these installations using pip via subprocess calls.\n- [COMMAND_EXECUTION]: The skill executes multiple shell commands, including 'git', 'gh', 'curl', 'pip', and 'python3'. Both the markdown instructions and the included Python scripts use 'subprocess.run' to interact with system tools and the GitHub CLI to manage releases and PR comments.
Audit Metadata