Fork-It

The skill 'fork-it' contains significant shell injection vulnerabilities in its core scripts. Both scripts/github-search.mjs and scripts/repo-detail.mjs use child_process.execSync to execute curl commands, incorporating command-line arguments (like repository names or search parameters) directly into the shell string without sufficient sanitization or escaping. While the tool's logic is aligned with its stated purpose of searching GitHub, the insecure implementation allows for potential arbitrary command execution if the agent is manipulated into passing malicious strings as arguments.