github-project
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/verify-github-project.shscript performs an automated audit of a repository's settings by executinggh apiandgitcommands. It checks for the existence of required documentation, dependency management configurations, and branch protection settings. - [INDIRECT_PROMPT_INJECTION]: The skill includes several GitHub Action templates (e.g.,
release-labeler.yml.template,auto-merge.yml.template) that process data from pull requests and releases. The templates demonstrate security awareness by usingprintfand temporary files to handle untrusted input, mitigating potential shell injection risks from release bodies or PR titles. - [EXTERNAL_DOWNLOADS]: The
references/actionlint-guide.mdfile provides instructions for installingactionlintusingcurlfrom its official GitHub releases. This is a standard installation procedure for a well-known development tool. - [COMMAND_EXECUTION]: Workflow templates such as
assets/pr-quality.yml.templateusegh pr review --approveto automate approvals for trusted collaborators. The documentation explicitly warns against usingactions/checkoutwithinpull_request_targetworkflows to prevent unauthorized code execution with write permissions.
Audit Metadata