workers-ci-cd
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): Templates in
templates/rollback-workflow.ymlandtemplates/preview-deployment.ymlexhibit vulnerability surfaces where untrusted data is processed with high-privilege write capabilities. - Ingestion points:
github.event.inputs.version,github.event.inputs.reason, andgithub.event.numberfrom GitHub event contexts. - Boundary markers: Absent. Inputs are directly interpolated into commands.
- Capability inventory: Write access to repository via
git, deployment capabilities viawrangler, and repository interaction viagithub-script(e.g., commenting on PRs). - Sanitization: Absent. Shell interpolation like
VERSION="${{ github.event.inputs.version }}"allows for command injection if an attacker can influence input fields. - Unverifiable Dependencies (MEDIUM): Several external GitHub Actions and tools are used from organizations outside the trusted scope, including:
cloudflare/wrangler-action@v4oven-sh/setup-bun@v2slackapi/slack-github-action@v1codecov/codecov-action@v4gliech/create-github-secret-action@v1(Unverified personal repository)- Dynamic Execution (MEDIUM): The use of
actions/github-scriptintemplates/preview-deployment.ymlandtemplates/github-actions-full.ymlto execute JavaScript logic at runtime increases the attack surface, particularly when combined with the lack of input sanitization mentioned in the injection analysis. - Command Execution (LOW): The
scripts/verify-deployment.shscript executes shell commands and performs network requests usingcurlbased on arguments that may be influenced by dynamic workflow variables.
Recommendations
- AI detected serious security threats
Audit Metadata