github-ops
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: Multiple scripts including
actions.sh,issues.sh,prs.sh,repos.sh,releases.sh, andsearch.shconstruct shell commands as strings and execute them usingeval. This pattern is vulnerable to command injection because parameters such as branch names, workflow file paths, or input values are interpolated directly into the command string without sufficient shell escaping. If an agent provides values containing shell metacharacters (e.g., from a malicious repository), it could lead to arbitrary command execution on the host. - [DATA_EXFILTRATION]: The skill provides tools to access sensitive user information. Specifically,
users.shcan retrieve private email addresses andnotifications.shcan read the contents of notification threads. While these are legitimate GitHub features, they expose private data to the agent's context. - [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because it is designed to ingest and process large amounts of untrusted data from GitHub repositories.
- Ingestion points: Files like
repos.sh(contents),issues.sh(view/comments),prs.sh(view/comments/diff),actions.sh(logs), anddiscussions.sh(view/comments) all bring external, attacker-controlled text into the agent's reasoning process. - Boundary markers: The scripts do not use specific delimiters or instructions to help the agent distinguish between its own logic and the untrusted data being retrieved.
- Capability inventory: The agent has extensive capabilities via these scripts, including
gh repo delete,gh pr merge,gh workflow run(dispatch), and arbitrary repository modification. - Sanitization: While
jqis used for JSON parsing, the subsequent execution logic in the shell scripts does not sanitize data before it is used in command construction. - [EXTERNAL_DOWNLOADS]: The skill facilitates the download of external code and files from GitHub, which is a well-known service but still represents the retrieval of external assets:
repos.shcan clone entire repositories to the local system.actions.shdownloads workflow artifacts as compressed zip files.releases.shdownloads release assets from repository releases.
Audit Metadata