github-automation
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references an external MCP server endpoint at
https://rube.app/mcpto provide the underlying GitHub tool functionality. - [COMMAND_EXECUTION]: The skill provides instructions for executing high-privilege GitHub operations, such as merging pull requests (
GITHUB_MERGE_A_PULL_REQUEST), deleting repositories (GITHUB_DELETE_A_REPOSITORY), and modifying branch protection rules (GITHUB_UPDATE_BRANCH_PROTECTION). It mitigates risk by instructing the agent to require explicit human confirmation for these actions. - [DATA_EXFILTRATION]: The skill is designed to read potentially sensitive repository data, including source code, private issue details, and commit history, as part of its intended automation functionality.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from GitHub repositories while maintaining write access to the environment.
- Ingestion points: The agent reads data through
GITHUB_LIST_REPOSITORY_ISSUES,GITHUB_GET_A_PULL_REQUEST, andGITHUB_SEARCH_CODE(all in SKILL.md). - Boundary markers: No explicit delimiters or instructions are provided to help the agent distinguish between data and embedded instructions in the fetched content.
- Capability inventory: The skill includes write/admin capabilities such as
GITHUB_MERGE_A_PULL_REQUESTandGITHUB_CREATE_A_WORKFLOW_DISPATCH_EVENT(all in SKILL.md). - Sanitization: There are no specified sanitization or validation routines for the content retrieved from GitHub before it is processed by the agent.
Audit Metadata