github-tools
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill exhibits a significant Indirect Prompt Injection surface. 1. Ingestion points: Untrusted data enters the agent context via commands like issue-view, pr-view, discussion-view, run-logs, and search-code. 2. Boundary markers: The skill instructions lack any delimiters or warnings to ignore embedded instructions in the ingested data. 3. Capability inventory: The agent has high-privilege capabilities including pr-merge, pr-review, workflow-run, and a generic api tool. 4. Sanitization: No sanitization or validation logic is defined to protect the LLM from instructions embedded in external content.
- COMMAND_EXECUTION (MEDIUM): The api command allows the agent to execute arbitrary GitHub API requests, bypassing the constraints of the specific tool definitions and potentially allowing any action the underlying OAuth token permits.
- PROMPT_INJECTION (MEDIUM): Metadata and system instructions such as 'System auto-configures OAuth scopes' may lead the agent to assume excessive authority when processing untrusted inputs.
Recommendations
- AI detected serious security threats
Audit Metadata