agent-github-modes
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool and the GitHub CLI (gh) to perform repository operations such as creating issues, managing pull requests, and listing secrets. This is consistent with the skill's stated purpose of workflow orchestration. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from external GitHub resources.
- Ingestion points: Content is retrieved from GitHub using tools like
gh pr view,gh issue list, and theReadtool which accesses file contents. - Boundary markers: The skill does not define explicit delimiters or 'ignore' instructions to distinguish between its own logic and instructions that might be embedded in the fetched GitHub content.
- Capability inventory: The agent possesses high-impact capabilities including arbitrary shell execution (
Bash), file modification (Write), and GitHub repository management (ghCLI). - Sanitization: There is no evidence of sanitization or structural validation for the data ingested from GitHub before it is processed by the agent.
Audit Metadata