github
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Almost all scripts in the skill (e.g.,
scripts/pr/get_pr_context.py,scripts/issue/new_issue.py) usesubprocess.runto execute GitHub CLI (gh) commands. Furthermore,scripts/test_workflow_locally.pyis designed to invokeactanddockerfor local workflow testing, enabling the execution of code defined in potentially untrusted local or remote workflow files. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection (Category 8) due to its processing of external, untrusted content.
- Ingestion points: Multiple scripts, including
scripts/pr/get_pr_review_comments.py,scripts/issue/invoke_copilot_assignment.py, andscripts/pr/invoke_pr_comment_processing.py, retrieve and parse comments from GitHub PRs and issues which are authored by external users. - Boundary markers: The skill employs markers such as
<!-- COPILOT-CONTEXT-SYNTHESIS -->inscripts/issue/invoke_copilot_assignment.pyand other user-provided HTML comment markers inscripts/issue/post_issue_comment.pyfor idempotency, but these markers do not inherently sanitize or prevent the model from interpreting instructions within the ingested comment text. - Capability inventory: The skill possesses powerful capabilities that could be targeted by an injection attack, such as merging pull requests (
scripts/pr/merge_pr.py), creating new issues (scripts/issue/new_issue.py), and modifying repository settings like auto-merge (scripts/pr/set_pr_auto_merge.py). - Sanitization: While the scripts generally use safe execution patterns (passing arguments as lists to
subprocess.run), there is no significant sanitization or filtering of the natural language content extracted from comments before it is used to drive automated logic or synthesized for other AI tools.
Audit Metadata