GitHub Agentic Workflows Continuous AI Patterns
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill defines workflows where AI agents ingest and process untrusted text from GitHub issue titles, descriptions, and pull request diffs, creating a surface for indirect prompt injection attacks.\n
- Ingestion points: The Triage Agent and Code Reviewer patterns read external content as described in triage-agent.yaml and continuous-review.yml.\n
- Boundary markers: The provided prompt examples do not implement delimiters or specific instructions to ignore embedded commands in the processed data.\n
- Capability inventory: The agents are granted write permissions for issues, pull requests, and project boards, allowing potential malicious actions if subverted.\n
- Sanitization: No sanitization or validation of the untrusted input is included in the templates.\n- [DATA_EXFILTRATION]: The feedback collection pattern in 'collect-feedback.yml' sends issue metadata and comment content to an external API (feedback-api.example.com). While using a placeholder domain, this design demonstrates a mechanism for data exfiltration to third-party servers.
Audit Metadata