Skills
skills/openhands/skills/github/Gen Agent Trust Hub

github

Pass

Audited by Gen Agent Trust Hub on Mar 2, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes system commands through the gh CLI and git to manage repositories and GitHub Actions.
  • Evidence: Commands such as gh run watch, gh pr checks, and git push are documented in README.md and SKILL.md as standard operational procedures.
  • Evidence: Troubleshooting instructions in README.md suggest using git remote set-url origin https://${GITHUB_TOKEN}@github.com/username/repo.git, which places the authentication token in the remote URL, potentially exposing it in local configurations or command history.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted data from GitHub pull request review comments.
  • Ingestion points: In SKILL.md, the gh api graphql command is used to fetch the bodies of review comments from external contributors.
  • Boundary markers: No delimiters or boundary markers are specified to isolate the external comment text from the agent's operational instructions.
  • Capability inventory: The agent has broad capabilities including git operations (branching, pushing), workflow management via gh, and arbitrary network requests via curl with the GITHUB_TOKEN (referenced in README.md and SKILL.md).
  • Sanitization: Technical sanitization of the comment content is absent; the skill relies solely on the agent's ability to "critically evaluate each review comment."
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 2, 2026, 09:05 PM