release
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill documentation includes commands that pipe remote scripts directly into shell interpreters (bash and PowerShell's iex). This allows an attacker who controls the 'wilddeer/specops' repository to execute arbitrary code on the system running the agent if these commands are invoked.\n
- Evidence:
curl -fsSL https://raw.githubusercontent.com/wilddeer/specops/main/install.sh | bash\n - Evidence:
irm https://raw.githubusercontent.com/wilddeer/specops/main/install.ps1 | iex\n- [COMMAND_EXECUTION] (HIGH): The skill executes multiple shell commands with significant side effects on the local filesystem and remote repositories. If the agent's logic is compromised, it could be used to corrupt the repository or exfiltrate data via releases.\n - Evidence:
git push origin main,gh release create ...\n- [EXTERNAL_DOWNLOADS] (HIGH): References external scripts from an untrusted source ('wilddeer' organization) which is not within the trusted scope rules.\n- [PROMPT_INJECTION] (HIGH): High risk of indirect prompt injection (Category 8). The skill ingests untrusted data from repository history and file contents to generate release notes and perform version bumps.\n - Ingestion points:
git logoutput and file contents ofREADME.md,install.sh, etc.\n - Capability inventory:
git push,gh release create, and arbitrary shell execution.\n - Sanitization: None. The agent is instructed to use
git logoutput directly in release notes, creating a surface for injection attacks.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://raw.githubusercontent.com/wilddeer/specops/main/install.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata