GitHub Workflow
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection as it retrieves and processes untrusted data from GitHub. \n
- Ingestion points: Untrusted data enters the agent context via issue titles, issue bodies, pull request descriptions, and review comments, which are fetched using
ghCLI and GitHub MCP in skills such asgh-issue,gh-triage,gh-pr-respond,gh-pr-status, andgh-mine. \n - Boundary markers: While input sanitization is defined for CLI arguments, the skill lacks explicit boundary markers or 'ignore embedded instructions' warnings for the external content displayed to the agent. \n
- Capability inventory: The skill has significant operational capabilities, including executing
gitoperations (push, merge, tag),ghrepository management, and, crucially, modifying local source files ingh-pr-respondto 'apply suggested fixes' from review comments. \n - Sanitization: The skill documentation specifies rules to reject shell metacharacters and null bytes for fields like repository identifiers, labels, and usernames, which helps prevent direct command injection but does not mitigate instructions embedded in the external text itself.\n- [COMMAND_EXECUTION]: The skill relies on several bash scripts (
activity-summary.sh,my-items.sh,release-notes.sh,repo-health.sh) to perform its functions. These scripts execute shell commands (gitandgh) with parameters often derived from repository metadata or time ranges. While the parameters are constrained by the logic in the skill definitions, these scripts run within the local environment and interact with external repository data.
Audit Metadata