github-project-management
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill uses
npxto fetch and execute theruv-swarmandclaude-flowpackages from the NPM registry. These packages are maintained by 'ruvnet', which is not a trusted organization or well-known service according to the security policy, posing a risk of running unvetted code. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from GitHub issues and project boards to drive automated actions. 1. Ingestion points: Content is ingested from
gh issue view,gh issue list, andgh project item-list. 2. Boundary markers: No delimiters or 'ignore embedded instructions' markers are used when processing issue body content. 3. Capability inventory: The skill can create/edit issues, post comments, and execute shell commands. 4. Sanitization: There is no evidence of sanitization or validation of the ingested issue data before it is passed to other tools. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill includes a
board-realtimecommand that supports sending project synchronization data to an external webhook endpoint, which could be misused to exfiltrate project information to an unauthorized server. - [DYNAMIC_EXECUTION]: The skill constructs and executes Bash commands using output retrieved from the GitHub CLI (such as captured issue bodies). If these inputs contain shell metacharacters, it could lead to unintended command execution.
Audit Metadata