github-sync-helper
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and displays untrusted content from GitHub (such as issue titles and pull request bodies) without sanitization.
- Ingestion points: Data enters the agent's context through GitHub API calls in the gh-issues-list, gh-pr-list, and gh-actions-runs commands in scripts/gh_sync.sh.
- Boundary markers: There are no delimiters or instructions used to separate external content from agent instructions in the output.
- Capability inventory: The skill possesses capabilities to modify repository state (PR merging, issue closing) and perform destructive file operations (branch deletion, directory clearing).
- Sanitization: External strings are processed and displayed directly without filtering or escaping.
- [COMMAND_EXECUTION]: The helper script implements several powerful and potentially destructive operations.
- Destructive Commands: The delete-branches, empty-dir, and restore-dir commands can delete branches or clear directory contents across the workspace. While they require a confirmation flag, an autonomous agent may be easily prompted to provide it.
- Script Modification: The restore-dir command automatically grants execution permissions (chmod +x) to all .sh files in any scripts directory within the destination. This provides a mechanism where untrusted files copied from a source directory are immediately made executable, increasing the risk of subsequent malicious script execution.
Audit Metadata