configure-argocd-automerge
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill performs repository maintenance and configuration tasks consistent with its description. No evidence of prompt injection, data exfiltration, or persistence mechanisms was found.
- [COMMAND_EXECUTION]: The GitHub Actions workflow template generated by the skill uses
${{ github.ref_name }}directly in a shell run block. This is a common pattern in CI/CD automation, though it is a best practice to use environment variables for potentially user-controlled fields to mitigate shell injection risks if branch creation is not strictly controlled. - [CREDENTIALS_UNSAFE]: The skill documentation recommends using a Personal Access Token (
AUTO_MERGE_PAT) to allow the workflow to approve its own pull requests. While this is a standard workaround for GitHub Action limitations, users should manage this high-privilege secret according to the principle of least privilege.
Audit Metadata