github-automation
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from GitHub and has the capability to perform sensitive actions.
- Ingestion points: The skill uses tools like
GITHUB_LIST_REPOSITORY_ISSUES,GITHUB_SEARCH_CODE, andGITHUB_GET_REPOSITORY_CONTENTto fetch content from external repositories, issues, and pull requests. - Boundary markers: There are no explicit instructions or delimiters defined to prevent the agent from following instructions embedded within the fetched GitHub data.
- Capability inventory: The skill possesses high-privilege capabilities, including
GITHUB_MERGE_A_PULL_REQUEST,GITHUB_CREATE_A_WORKFLOW_DISPATCH_EVENT, andGITHUB_DELETE_A_REPOSITORY(referenced in pitfalls). - Sanitization: The instructions do not include requirements for sanitizing or validating external data before it is processed by the agent.
- [EXTERNAL_DOWNLOADS]: The skill requires connecting to an external Model Context Protocol (MCP) server at
https://rube.app/mcp. This endpoint acts as the gateway for the GitHub automation toolkit.
Audit Metadata