Skills
skills/dnyoussef/context-cascade/github-integration/Gen Agent Trust Hub

github-integration

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill ingests external untrusted data through multiple channels including GitHub webhooks, pull request metadata, and commit logs without sufficient sanitization or boundary markers.
  • Ingestion points: webhook-handler.js (HTTP POST /webhook), release-orchestrator.py (git log), and pr-automation.sh (GitHub API responses).
  • Boundary markers: Absent in all processing scripts.
  • Capability inventory: High; includes repository modification, command execution, and network operations.
  • Sanitization: signature verification is present in webhook-handler.js, but there is no protection against malicious natural language instructions embedded in fields like PR titles or commit messages that could influence the agent's logic during automated review or release cycles.
  • [Remote Code Execution] (HIGH): The release orchestration script dynamically executes build and test commands based on the presence of specific files in a repository, creating an RCE vector.
  • Evidence: release-orchestrator.py uses subprocess.run to execute commands like npm test, yarn test, pytest, and go test found within the targeted repository.
  • Risk: An attacker who can commit code to a repository processed by this skill can achieve arbitrary code execution by defining malicious test or build scripts.
  • [Command Execution] (MEDIUM): Multiple shell and Python scripts wrap system commands (curl, git) using variables derived from repository data or user input.
  • Evidence: pr-automation.sh and multi-repo.sh concatenate variables into shell command strings.
  • Risk: Potential for shell injection if inputs are not properly escaped before being passed to subprocess.run or shell execution.
  • [Unverifiable Dependencies] (MEDIUM): The skill's CI/CD template and scripts rely on external, third-party GitHub Actions and potentially unpinned tools.
  • Evidence: github-workflow-ci.yml uses aquasecurity/trivy-action@master and trufflesecurity/trufflehog@main.
  • Note: While these sources are from recognized organizations, the use of moving tags (@master, @main) allows for unvetted code updates at runtime.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:34 PM