github-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill faces a significant risk of Indirect Prompt Injection by processing untrusted external content while holding write/execute capabilities. 1. Ingestion points: Untrusted data enters the agent context through 'gh issue view', 'gh pr view', 'gh search code', and 'gh repo view' as specified in SKILL.md. 2. Boundary markers: The skill lacks any delimiters or specific instructions to the agent to ignore or isolate instructions embedded in the retrieved data. 3. Capability inventory: High-privilege operations such as 'gh pr merge', 'gh release create', and 'gh workflow' management are available to the agent (SKILL.md). 4. Sanitization: No content sanitization or validation mechanisms are present in the skill instructions.
- [Command Execution] (MEDIUM): The documentation recommends using 'bash -c' for shell command execution to handle environment variables. This pattern creates a shell injection risk if user-controlled variables or data from GitHub are interpolated into the command string without strict escaping. Evidence: Prerequisites section in SKILL.md.
Recommendations
- AI detected serious security threats
Audit Metadata