github-automation
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the user to connect to an external, third-party MCP endpoint at
https://rube.app/mcp. This server provides the tool definitions and execution logic for the GitHub toolkit. - [COMMAND_EXECUTION]: The skill exposes highly sensitive administrative tools that can perform destructive actions. Evidence includes the availability of
GITHUB_DELETE_A_REPOSITORY, which is permanent and irreversible, andGITHUB_UPDATE_BRANCH_PROTECTION, which can be used to bypass security controls. Although the documentation advises user confirmation, the agent has the technical capability to execute these commands. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external sources and has powerful write capabilities.
- Ingestion points: The skill reads external content through
GITHUB_LIST_REPOSITORY_ISSUES,GITHUB_SEARCH_CODE,GITHUB_GET_REPOSITORY_CONTENT, andGITHUB_GET_A_PULL_REQUEST(all inSKILL.md). - Boundary markers: No specific delimiters or instructions to ignore embedded commands are implemented when processing these data sources.
- Capability inventory: The skill possesses extensive capabilities including deleting repositories, merging pull requests, and triggering CI/CD workflows via
GITHUB_CREATE_A_WORKFLOW_DISPATCH_EVENT. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from GitHub before it is processed or used to inform subsequent automated actions.
Audit Metadata