github-workflow-automation
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
npxto download and execute external packages includingruv-swarmandclaude-flow@alpha. These are third-party dependencies that are executed at runtime during various workflow stages. - [COMMAND_EXECUTION]: The skill performs significant system-level operations via the GitHub CLI (
gh) andbashscripts. These include creating issues, generating workflow files, managing releases, and modifying repository structures. Such capabilities grant the skill broad control over the GitHub environment. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8) by processing untrusted data to drive AI decision-making.
- Ingestion points: Data enters the agent context via
gh pr view(files and labels),gh run view(failure logs), and general codebase analysis. - Boundary markers: There are no documented boundary markers or instructions to the LLM to ignore embedded commands within the ingested data.
- Capability inventory: The skill possesses powerful capabilities including
gh issue create,gh pr comment,gh pr create, and the generation/execution of new GitHub Action workflows. - Sanitization: There is no evidence of sanitization or validation of the ingested strings before they are interpolated into the swarm coordination logic.
- [DATA_EXFILTRATION]: Documentation within the skill suggests the use of GitHub Secrets (
secrets.API_KEY,secrets.SWARM_CONFIG) in environment variables. While standard for CI/CD, this handling of sensitive credentials requires careful management to ensure they are not exposed to untrusted execution steps.
Audit Metadata