ci-cd
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted project data that could contain malicious instructions. Ingestion points: SKILL.md utilizes Read, Glob, and Grep tools to ingest content from arbitrary project files like .github/workflows/*.yml and package.json. Boundary markers: Absent; the instructions do not provide delimiters or warnings to ignore embedded instructions within ingested data. Capability inventory: The skill has access to Edit, Write, Bash(gh), and Bash(git), enabling it to modify the repository or interact with the GitHub API. Sanitization: Absent; the agent processes raw content from read files to determine actions.
- Command Execution (MEDIUM): The skill utilizes powerful command-line tools. Evidence: SKILL.md explicitly allows Bash(gh) and Bash(git) tools, and the rule file action-pinning.md instructs the agent to use the gh api for commit SHA lookups. This capability provides a significant attack surface if the agent is manipulated via indirect injection.
Recommendations
- AI detected serious security threats
Audit Metadata