workflow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill documentation suggests installing dependencies via
curl -sS https://webi.sh/gh | sh. Piping unverified scripts from third-party domains directly into the shell allows for arbitrary remote code execution and is a high-risk pattern.\n- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it reads and processes untrusted external data from GitHub Actions.\n - Ingestion points: Action logs via
gh run view --logand workflow metadata viagh run list.\n - Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands in the logs.\n
- Capability inventory: The skill can rerun, cancel, and trigger workflows, and execute local
osascriptcommands.\n - Sanitization: None; content fetched from external logs is passed to the agent's context without filtering.\n- [CREDENTIALS_UNSAFE] (HIGH): The skill facilitates
gh auth login, which manages sensitive GitHub access tokens. These credentials reside in the file system and could be targeted if the agent is compromised.\n- [COMMAND_EXECUTION] (MEDIUM): The skill executes local shell commands includinggitand macOSosascript. While used for functionality, these provide a vector for local side effects if the agent's logic is subverted via prompt injection.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://webi.sh/gh - DO NOT USE
- AI detected serious security threats
Audit Metadata