github
Warn
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill advises updating the git remote URL to include the GITHUB_TOKEN (e.g.,
git remote set-url origin https://${GITHUB_TOKEN}@github.com/username/repo.git), which results in the sensitive authentication token being stored in plain text within the workspace's.git/configfile. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it retrieves and processes content from GitHub pull request review threads without adequate sanitization.
- Ingestion points: Fetches content from pull request review threads via
gh api graphql(SKILL.md). - Boundary markers: Absent; no delimiters or explicit instructions are provided to the agent to treat external content as data rather than instructions.
- Capability inventory: The agent has permissions to modify the repository (
git push), create and update pull requests (create_pr), and manage GitHub Actions workflows (gh run). - Sanitization: Absent; the skill relies on the agent to "critically evaluate each review comment" rather than employing technical validation or filtering.
- [COMMAND_EXECUTION]: The skill provides examples for executing powerful shell commands including
git,gh, andcurlto manage repositories and interact with APIs, which represent significant capabilities that could be abused if the agent is influenced by malicious input.
Audit Metadata