github-automation
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from GitHub (issues, pull requests, file contents) which could contain malicious instructions designed to influence the agent's behavior.
- Ingestion points: Untrusted data enters the agent context through tools like
GITHUB_LIST_REPOSITORY_ISSUES,GITHUB_GET_A_PULL_REQUEST,GITHUB_SEARCH_CODE, andGITHUB_GET_REPOSITORY_CONTENTas documented in SKILL.md. - Boundary markers: The skill lacks specific boundary markers or instructional safeguards to differentiate between user instructions and ingested data, increasing the risk of the agent obeying embedded commands.
- Capability inventory: The skill possesses high-privilege capabilities including merging pull requests (
GITHUB_MERGE_A_PULL_REQUEST), deleting repositories (GITHUB_DELETE_A_REPOSITORY), and triggering CI/CD workflows (GITHUB_CREATE_A_WORKFLOW_DISPATCH_EVENT). - Sanitization: There is no mention of sanitization or validation logic to filter potentially malicious content from GitHub API responses before they are processed.
- [EXTERNAL_DOWNLOADS]: The skill requires connection to an external MCP server hosted at
https://rube.app/mcp. This introduces a runtime dependency on an external service provider not included in the default trusted vendor list.
Audit Metadata