Skills
skills/holon-run/holon/github-context/Gen Agent Trust Hub

github-context

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION] (HIGH): The skill acts as a major vector for indirect prompt injection because it is designed to ingest large amounts of untrusted data from external GitHub repositories.
  • Ingestion points: Fetches data from GitHub issues, PR metadata, comments, review threads, code diffs, and CI workflow logs.
  • Boundary markers: No mention of boundary markers or delimiters in the documentation to separate data from instructions in the generated JSON/text files.
  • Capability inventory: The skill produces structured output (manifest.json, pr.json, comments.json) intended for consumption by downstream agent skills. If a downstream skill has high-privilege capabilities (e.g., merging code or writing to a filesystem), the injected instructions could be executed.
  • Sanitization: No sanitization or filtering logic is described for the gathered content.
  • [COMMAND_EXECUTION] (MEDIUM): The skill invokes local shell scripts (scripts/collect.sh) and the GitHub CLI (gh) using external input. While the script content is not provided, the pattern of passing GitHub references (like repo names or PR numbers) to shell-based tools carries a risk of command injection if the input parsing is not strictly handled.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 06:52 AM