github
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill exposes a large attack surface for indirect prompt injection because it is designed to ingest and process untrusted content from GitHub.
- Ingestion points: Commands such as
get-file-contents,get-issue,list-issues,search-code, andget-pull-request-commentsretrieve data from external, potentially attacker-controlled sources. - Boundary markers: No specific delimiters or instructions to ignore embedded commands are documented for these ingestion points.
- Capability inventory: The skill can perform sensitive actions including
create-or-update-file,push-files,merge-pull-request, andcreate-pull-request-review, which could be triggered by injected instructions. - Sanitization: There is no mention of sanitization or validation of the retrieved content before it is processed by the agent.
- [Data Exposure & Exfiltration] (LOW): The skill relies on a
GITHUB_TOKEN. While the token is not hardcoded, the broad capabilities to read files and push content to repositories create a risk where an attacker could exfiltrate internal code or secrets if the agent's logic is subverted. - [Command Execution] (SAFE): The skill executes a local TypeScript file (
github.ts) using the Bun runtime. This is the intended operational mode for the skill and is performed using absolute paths, reducing the risk of path traversal or command hijacking in this specific context.
Audit Metadata