Skills
skills/ruvnet/ruflo/agent-project-board-sync/Gen Agent Trust Hub

agent-project-board-sync

Pass

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill makes extensive use of the GitHub CLI (gh) and standard Git commands to manage project boards, issues, and repository state. These commands are used for initializing boards, creating project fields, and adding items.
  • [EXTERNAL_DOWNLOADS]: The skill invokes npx ruv-swarm to execute board synchronization and management tasks. The ruv-swarm package is a tool provided by the author 'ruvnet' and is central to the skill's intended functionality.
  • [DATA_EXFILTRATION]: Includes functionality to send updates to a configurable webhook endpoint and distribute reports via Slack or Email. These are documented features for real-time synchronization and team communication.
  • [PROMPT_INJECTION]: The skill processes untrusted data from external sources, which creates a potential surface for indirect prompt injection.
  • Ingestion points: Untrusted data enters the context through gh issue list and gh project item-list in SKILL.md.
  • Boundary markers: Absent; the skill does not use specific delimiters or instructions to distinguish between its own logic and ingested content.
  • Capability inventory: The agent has access to powerful tools including Bash, file system operations (Read, Write, Edit), and GitHub API management.
  • Sanitization: No evidence of sanitization or validation for the ingested GitHub data was found in the provided skill content.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 1, 2026, 04:32 PM