github-agentic-workflows
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The documented workflow system creates an inherent surface for indirect prompt injection attacks where malicious input from external sources could influence the AI agent's behavior.
- Ingestion points: Workflows ingest content from GitHub issues, pull requests, and web search results (File: SKILL.md, Examples 1, 3, and 5).
- Boundary markers: The examples provided do not include explicit delimiters or instructions to ignore commands within the data being processed, which increases the risk of the agent obeying instructions embedded in the external content.
- Capability inventory: Agents are granted access to powerful tools including
github(API write access),bash(shell execution), andedit(file modification). - Sanitization: The documentation does not demonstrate techniques for sanitizing or escaping untrusted input before it is interpolated into the agent's prompts.
- [EXTERNAL_DOWNLOADS]: Documents the installation of the
gh-awextension from the officialgithuborganization repository usinggh extension install github/gh-aw. This is a trusted source. - [COMMAND_EXECUTION]: Describes the use of a
bashtool which enables the AI agent to execute arbitrary shell commands to perform automated tasks. - [REMOTE_CODE_EXECUTION]: Includes an example of a 'Custom Tool' (File: SKILL.md, Example 6) where JavaScript code is embedded in the workflow configuration and executed dynamically by the workflow engine at runtime.
Audit Metadata