gha-security-review
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill contains legitimate, well-structured instructions for performing security audits of GitHub Actions workflows. It implements a clear threat model focusing on external attackers and provides specific guidance on identifying exploitable patterns like pull_request_target misconfigurations.
- [PROMPT_INJECTION]: The skill is designed to ingest and analyze untrusted data, specifically GitHub Actions workflows and configuration files (e.g., CLAUDE.md, Makefile). While this creates a theoretical surface for indirect prompt injection, the skill lacks dangerous capabilities such as network operations or arbitrary code execution, and its focus on security analysis naturally involves handling untrusted input. (File: SKILL.md)
Audit Metadata