github
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to process external pull request review comments fetched via the GitHub API (specifically GraphQL queries in SKILL.md). This creates a surface for Indirect Prompt Injection, where an attacker could embed malicious instructions in a GitHub comment to influence the agent's subsequent actions.
- Ingestion points: Review comments are retrieved using
gh api graphqlin the 'Handling Review Comments' section. - Boundary markers: The skill provides behavioral instructions for the agent to 'Critically evaluate each review comment' and decide whether to implement it, which serves as a conceptual boundary but does not programmatically sanitize input.
- Capability inventory: The agent has permissions to perform
git push,git checkout,gh run rerun, and create pull requests. - Sanitization: No explicit sanitization or escaping of the comment content is mentioned before the agent evaluates it.
- [COMMAND_EXECUTION]: The skill provides instructions for executing Git and GitHub CLI (
gh) commands. One instruction suggests updating the Git remote URL usinggit remote set-url origin https://${GITHUB_TOKEN}@github.com/..., which stores the environment variable's value in the plain-text.git/configfile. While this is a common practice for automated environments, it is a point of local credential exposure.
Audit Metadata