gh-fix-ci
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill executes a bundled Python script and multiple GitHub CLI commands. It explicitly instructs the agent to request escalated sandbox permissions (
sandbox_permissions=require_escalated) to facilitate authentication and network access, which increases the potential impact of any command-related vulnerability. - [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from external sources to drive its decision-making.
- Ingestion points: GitHub Actions job logs and PR metadata fetched via
gh run view --logandgh api. - Boundary markers: None identified; the workflow does not specify delimiters or instructions to ignore embedded commands in logs.
- Capability inventory: The agent has the capability to write code changes to the repository, execute the bundled
inspect_pr_checks.pyscript, and run arbitraryghcommands. - Sanitization: No evidence of log sanitization or validation before the content is summarized and used to generate a 'fix plan'. An attacker could intentionally trigger a CI failure with logs containing malicious instructions to influence the generated code.
Audit Metadata