github
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection.
- Ingestion points: The scripts/github.py script retrieves untrusted content such as issue descriptions, pull request bodies, and comments via gh issue view and gh pr view.
- Boundary markers: Output formatting does not include clear delimiters or instructions to the agent to ignore embedded commands in the processed data.
- Capability inventory: The skill grants the agent extensive permissions, including the ability to merge pull requests, close issues, delete repositories, and execute arbitrary requests via gh api.
- Sanitization: Content fetched from GitHub is processed and displayed without sanitization.
- [COMMAND_EXECUTION]: The skill executes external commands using the gh CLI. While the primary wrapper in scripts/github.py uses safe subprocess practices with argument lists, example scripts in references/common-workflows.md use unquoted variables in shell commands (e.g., gh issue edit $issue_num --add-label $label), which poses a risk of command injection if adapted into executable tools.
Audit Metadata