github
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted data from external sources (GitHub issues, PRs, and repository metadata).
- Ingestion points:
SKILL.mdinstructs the agent to usegh issue view,gh pr view, andgh repo viewon URLs provided by users. - Boundary markers: Absent. There are no instructions to ignore or sanitize embedded instructions within the fetched GitHub content.
- Capability inventory: The skill allows the agent to perform high-impact actions including
git push,gh pr create,gh issue create, andgh api(arbitrary API access). - Sanitization: Absent. Content fetched from GitHub is used directly to inform agent actions.
- Risk: An attacker could craft a GitHub issue or PR containing malicious instructions. If the agent views this resource, it may execute those instructions using its authenticated
ghorgitpermissions (e.g., exfiltrating data viagh apior injecting code viagit push). - Command Execution (LOW): The skill relies on executing local system commands (
gh,git). While these are standard tools, their use is governed by instructions that can be manipulated by the data they process.
Recommendations
- AI detected serious security threats
Audit Metadata