github-workflow-automation
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits multiple instances of Indirect Prompt Injection surfaces where untrusted data is interpolated into AI prompts without sanitization or boundary markers.
- Ingestion points: PR diffs (AI Review Action), issue titles/bodies (Issue Triage), commit messages (AI Risk Assessment), and comment bodies (AI Mention Bot) are ingested from external contributors.
- Boundary markers: Absent. Instructions and data are blended (e.g., 'Review this PR diff and provide feedback: ${{ steps.diff.outputs.diff }}').
- Capability inventory: The agent can create PR reviews, add labels to issues, post comments, and fail deployment jobs based on AI analysis.
- Sanitization: None detected. Content is directly mapped to environment variables or shell outputs and passed to the LLM.
- [COMMAND_EXECUTION]: The
smartCherryPickexample demonstrates an architectural pattern where AI-generated content is directly applied to the filesystem ('await applyResolution(conflict.file, resolution)'). This could allow an attacker to inject malicious code into a branch by tricking the AI via indirect injection during a conflict resolution phase.
Audit Metadata