github-explorer
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection through its interaction with external repository data.
- Ingestion points: The agent retrieves content from GitHub repositories, including files, issues, pull requests, and commit logs using
ghandgitcommands. - Boundary markers: The instructions lack specific delimiters or directions to treat external content strictly as data, leaving the agent open to following instructions embedded in that data.
- Capability inventory: The skill utilizes powerful CLI tools (
ghandgit) and has the capability to modify repositories viacommit,push, andrebaseoperations. - Sanitization: There is no evidence of sanitization or validation of the data fetched from GitHub before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill is designed to execute system-level commands using the GitHub CLI (
gh) andgit. - The instructions explicitly direct the agent to use these tools as its primary interface for repository exploration and management.
- Although these are the expected tools for the skill's stated purpose, the combination of command execution capabilities and the processing of untrusted external data increases the potential impact of a successful prompt injection attack.
Audit Metadata