Check

Name: waza/check
Author: tw93

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

70High

The skill is vulnerable to command injection and relies on external

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Check: Review Before You Ship: Prefix your first line with 🥷 inline, not as its own paragraph.

Actually does

This skill uses `git` and `gh` CLI to review code diffs, triage GitHub issues and PRs, and manage releases. It reads repository context (e.g., READMEs, manifests, CI configs), performs checks for hard stops and scope drift, and can apply safe auto-fixes. It interacts with GitHub to list/view/close issues and PRs, push commits, create releases, and add reactions, and can execute project-specific verification commands.

Threat Analysis

AI Agent Traps ↗Scanned 5/5/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction3 findings

SystemicMulti-Agent Dynamics1 finding

Human-in-the-LoopHuman Overseerclean

Skill Info

Nametw93/waza/check

Registrygithub

Versionb89a98a9e69e

PURLpkg:github/tw93/waza@b89a98a9e69e?skill=check

Stars4,497

Installs3,900

Source

Repository ↗SKILL.md ↗

SHA-25677b4638088cf...

SHA-17fae4eea0db1...

MD53f9edf5cf669...

TLSH3842e65b7e99...

ssdeep192:omCX7N4r...

Size12,986 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/tw93/Waza

3,900 installs

Claude CodeDocs

/plugin marketplace add tw93/waza

/plugin install check@tw93/waza

Skills.shDocs

npx skills add https://github.com/tw93/waza

Assessments (3)

AI Agent Traps ↗

Command Injection via User-Controlled Inputhighcommand execution

The skill constructs shell commands using potentially user-controlled input (e.g., issue keywords, search terms) without explicit sanitization, creating a command injection vulnerability. An attacker could craft malicious input to execute arbitrary commands.

100% confidenceline 55

`git log --oneline <latest-tag>..HEAD | grep -i "<keyword>"`
`grep -r "name" .`

Broad Command Execution Surfacemediumcommand execution

The skill has extensive capabilities to execute various external commands (`gh`, `git`, `bash scripts/run-tests.sh`). This broad access, while functional, presents a significant attack surface if the agent's reasoning or input is compromised, enabling a wide range of malicious actions.

90% confidenceline 128

`gh issue list`, `gh pr list`, `git log`, `gh api`, `bash scripts/run-tests.sh`, `grep -r`, `vercel env ls`, `git remote -v`

Extensive Reconnaissance and PII Detection Capabilitiesmediumreconnaissance

The skill performs wide-ranging reconnaissance, including listing issues/PRs, reading various project files, and explicitly detecting PII during document review. If the agent's output or communication channels are compromised, this gathered sensitive information could be exfiltrated.

90% confidenceline 150

`gh issue list`, `gh pr list`, `git log`, `grep -r`, `Privacy scan: Detect PII (names, companies, employment dates, salary hints, location details).`

External Configuration Poisoning & Sub-Agent Spawninghighrag poisoning

The agent's critical decision-making, project context extraction, and sub-agent configurations rely on external files (`references/project-context.md`, `references/persona-catalog.md`). If these files are compromised, an attacker could poison the agent's knowledge base or inject malicious sub-agent prompts.

100% confidenceline 30

Load `references/project-context.md`
Load `references/persona-catalog.md` to determine which specialists activate. Launch all activated specialists in parallel...

Unconfirmed Automated Actions (safe_auto)mediumautonomy abuse

The skill is designed to apply `safe_auto` fixes immediately without user confirmation. While intended for 'unambiguous, risk-free' changes, a flaw in this classification or a manipulated definition could lead to unintended or harmful modifications without human oversight.

90% confidenceline 111

| `safe_auto` | Unambiguous, risk-free: typos, missing imports, style inconsistencies | Apply immediately |

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/tw93/waza/check.svg)](https://mondoo.com/ai-agent-security/skills/github/tw93/waza/check)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/tw93/waza/check"><img src="https://mondoo.com/ai-agent-security/api/badge/github/tw93/waza/check.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/tw93/waza/check.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow