github-issues
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFECREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill setup script attempts to extract GitHub authentication tokens from local files like
~/.git-credentialsand~/.hermes/.env. Accessing these files exposes existing user credentials to the agent's context. - [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by fetching and rendering untrusted data from GitHub issue bodies, titles, and comments.
- Ingestion points: Untrusted data is ingested from the GitHub API and CLI output in
SKILL.md(lines 60-100 and 160-250). - Boundary markers: The skill lacks delimiters or instructions to ignore instructions embedded within the fetched issue content.
- Capability inventory: The skill has access to shell execution (
gh,curl,python3,git) and network operations. - Sanitization: There is no filtering or sanitization of the issue content before it is displayed to the agent, allowing potential commands in issue comments to influence agent behavior.
- [COMMAND_EXECUTION]: The skill uses
curlto fetch JSON data from the GitHub API and pipes it directly intopython3 -cfor parsing. While the target is a well-known service, this pattern establishes an execution flow based on remote data inputs.
Audit Metadata