github-triage
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from GitHub issues and pull requests. Ingestion points: Issue bodies, titles, and comments are directly interpolated into subagent prompts in SKILL.md templates. Capability inventory: The agent can execute commands via agent-tools-gh, perform git operations, and access infrastructure data like logs, Kubernetes state, and Sentry. Boundary markers: Untrusted input is included without delimiters or instructions to ignore embedded commands. Sanitization: No evidence of sanitization or validation of external content.
- [COMMAND_EXECUTION]: The skill executes local CLI tools to perform GitHub management and code analysis. Evidence: Commands such as agent-tools-gh and git diff are utilized. These operations are gated by a user approval step, which serves as a significant manual mitigation.
- [DATA_EXFILTRATION]: The skill accesses sensitive diagnostic information that could be exposed publicly. Evidence: The workflow involves reading system logs, Kubernetes state, and Sentry errors to provide triage summaries. There is a risk that sensitive internal details could be included in GitHub comments during the reporting phase.
Audit Metadata