invoking-github
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted data from external repositories via the
read_filefunction and possesses high-privilege write capabilities (commit_file,create_pull_request). This creates a high-risk surface where a malicious file from a repository could command the agent to perform unauthorized repository modifications. - Ingestion points:
github_client.py:read_fileallows the agent to read arbitrary file contents from external GitHub repositories. - Capability inventory: The skill enables file writing (
commit_file), bulk file updates (commit_files), and Pull Request creation (create_pull_request). - Boundary markers: No specific delimiters or 'ignore embedded instructions' warnings are mentioned to prevent the agent from obeying instructions found inside read files.
- Sanitization: No evidence is provided of content sanitization or filtering of external data before it enters the LLM context.
- Credential Handling (MEDIUM): Instructions in
credential-setup.mddirect users to store plaintext GitHub Personal Access Tokens (PATs) in 'Project Knowledge' documents. This exposes the secret directly to the agent's prompt context, making it vulnerable to exfiltration via prompt injection attacks. - Unsafe Pattern (LOW): The setup guide provides a Python snippet for users to run that modifies
sys.pathto include local skill directories. While common for development, this practice can lead to execution of unintended local code if directories are misconfigured.
Recommendations
- AI detected serious security threats
Audit Metadata