Skills
skills/zc277584121/marketing-skills/github-traffic/Gen Agent Trust Hub

github-traffic

Pass

Audited by Gen Agent Trust Hub on Mar 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The script executes the gh (GitHub CLI) via the subprocess.run method to interact with the GitHub API. This is a standard and safe implementation using a list of arguments to prevent shell injection.
  • [EXTERNAL_DOWNLOADS]: The skill fetches repository traffic data (views, clones, referrers) from GitHub's official API servers via the gh command-line tool. These operations are performed against a well-known and trusted service.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from external sources, specifically referral URLs and page paths from the GitHub Traffic API, which are displayed to the user. While this represents a potential surface for indirect prompt injection if an attacker controls the traffic source names, the risk is inherent to traffic monitoring tools and the script does not perform dangerous operations with this data.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 16, 2026, 02:33 AM