Skills
skills/zircote/.claude/github-ecosystem/Gen Agent Trust Hub

github-ecosystem

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from project configuration files and generates executable CI/CD workflows.
  • Ingestion points: Reads pyproject.toml, go.mod, package.json, and existing files in .github/ during enhancement mode.
  • Boundary markers: No evidence of boundary markers or sanitization for interpolated data in the skill description.
  • Capability inventory: Writing and modifying .github/workflows/*.yml files which are executed by GitHub Actions.
  • Sanitization: Missing. If an attacker places a malicious payload in a project metadata field, the generator might embed it directly into a workflow, enabling Remote Code Execution (RCE) in the CI environment.
  • [Persistence Mechanisms] (HIGH): By design, the skill modifies GitHub Actions workflows. A malicious modification to these files establishes persistence, as the injected code will run automatically on repository events (e.g., push, pull request).
  • [Command Execution] (MEDIUM): The skill relies on a local script scripts/generate_github_config.py (not provided for review) to perform file system operations and template logic. The lack of transparency for this script is a significant security blind spot.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 08:03 AM