github-skill
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script github_skill.py uses subprocess.run to execute the gh CLI tool. It properly passes arguments as a list, which is a secure method to prevent shell injection vulnerabilities when handling user-provided strings such as repository names.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads untrusted data from GitHub (e.g., PR titles, bodies, and comments) that may contain instructions targeting the AI agent.\n
- Ingestion points: The github_skill.py script retrieves external content via the gh CLI across several functions, including cmd_prs, cmd_pr, and cmd_issue.\n
- Boundary markers: Absent. The skill does not wrap retrieved content in delimiters or provide instructions to the agent to ignore any embedded commands within the fetched data.\n
- Capability inventory: The skill facilitates command execution through the gh utility.\n
- Sanitization: Absent. Content retrieved from GitHub repositories is returned directly to the agent without any sanitization, validation, or escaping.
Audit Metadata