granola-ci-integration
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data (meeting notes), which introduces a surface for indirect prompt injection.\n
- Ingestion points: Meeting content is ingested through Zapier's
note_contentand GitHub'sclient_payloadinSKILL.md.\n - Boundary markers: The templates lack explicit boundary markers or instructions to the agent to ignore embedded commands within the meeting notes.\n
- Capability inventory: The skill has permissions to write to GitHub repositories, create issues, and post to Slack and Linear.\n
- Sanitization: Meeting content is parsed via regex but is not sanitized for prompt injection before being used in downstream API calls (e.g., issue titles/bodies).\n- [COMMAND_EXECUTION]: The GitHub Actions example uses an unsafe method to interpolate event data into a script block.\n
- Evidence: The line
const actions = JSON.parse('${{ github.event.client_payload.action_items }}');inSKILL.mdallows for arbitrary JavaScript execution if the payload contains malicious characters like single quotes.\n- [REMOTE_CODE_EXECUTION]: The workflow executes scripts based on data received from remote webhook dispatches.\n - Evidence: The
repository_dispatchtrigger in the GitHub Action receives data from Zapier, which is then executed within anactions/github-scriptcontext.\n- [EXTERNAL_DOWNLOADS]: The skill configuration downloads and uses standard GitHub Actions and interacts with well-known service webhooks.\n - Evidence: References to
actions/checkout@v4andactions/github-script@v7, andcurlcommands targeting Zapier hooks.\n - Context: These resources are from trusted organizations (GitHub) and well-known services (Zapier).
Audit Metadata