github-workflow-automation
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: Vulnerable to indirect prompt injection where malicious content within PR diffs, issue reports, or comments can potentially override the AI's instructions.
- Ingestion points: PR diffs (SKILL.md section 1.1), Issue bodies (SKILL.md section 2.1), and comment text (SKILL.md section 5.1).
- Boundary markers: Not utilized. Untrusted data is directly inserted into the AI prompts without delimiters.
- Capability inventory: Includes creating PR reviews, managing labels, and executing git commands like
git push. - Sanitization: No input validation or sanitization is present in the provided templates.
- [DATA_EXFILTRATION]: Repository data, including diffs and commit logs, are transmitted to the Anthropic API for processing. While this uses a well-known service, it involves the transfer of repository content to an external provider.
- [COMMAND_EXECUTION]: Automated execution of
git rebaseandgit push --force-with-leaseis triggered by specific GitHub comment patterns. Automated force-pushing can be risky if the trigger mechanism is manipulated via injection. - [EXTERNAL_DOWNLOADS]: Uses the
@anthropic-ai/sdkpackage from the npm registry and multiple official GitHub Actions from trusted organizations.
Audit Metadata