actions-updater
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to indirect prompt injection (Category 8). It reads '.github/workflows' files, which are external data. A malicious actor could embed instructions inside the 'uses:' field (e.g., 'uses: owner/repo@v1; ignore previous instructions...'). When the agent reads the output of the 'check_updates.py' script, it may follow these injected instructions. This is especially dangerous given the agent's permission to modify files in the repository. * Ingestion points: 'scripts/check_updates.py' (reads all workflow YAML files). * Boundary markers: None. The script directly outputs strings found in the YAML files. * Capability inventory: 'subprocess.run' (via script), file modification (via agent's Edit tool). * Sanitization: None performed on the strings extracted from workflow files.
- [COMMAND_EXECUTION] (MEDIUM): The script executes the 'gh' CLI using repo names parsed from external files. Although it uses a list for arguments (avoiding simple shell injection), it does not sanitize against argument injection, allowing a malicious YAML file to pass unexpected flags to the 'gh' command.
Recommendations
- AI detected serious security threats
Audit Metadata