github-repo-management
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection because it aggregates data from untrusted external sources and has high-privilege capabilities.
- Ingestion points: Reads external data via GitHub MCP tools like
list PRsandget repo info(SKILL.md). - Boundary markers: None. There are no instructions to the agent to treat external content as untrusted or to use delimiters.
- Capability inventory: Executes local shell commands (
git push,git commit,git checkout) and performs GitHub write operations (create/merge PRs). - Sanitization: None. The skill does not specify any validation or sanitization for data retrieved from GitHub before it influences agent logic.
- Command Execution (MEDIUM): The skill relies on executing local shell commands (
git). While restricted to git, an attacker who successfully injects instructions via a PR body or commit message could potentially manipulate the local file system or exfiltrate source code by tricking the agent into executing malicious git configurations or hooks.
Recommendations
- AI detected serious security threats
Audit Metadata