blog-generator
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill utilizes official integrations and libraries from trusted organizations.
- It employs the
anthropics/claude-code-base-action, an official action from a trusted vendor, to handle content generation. - The workflow dynamically installs the
@google/genaipackage from the official NPM registry, which is a well-known library from a trusted organization. - [COMMAND_EXECUTION]: The workflow executes shell commands for repository management and automated script execution.
- The AI agent's tool access is restricted to a specific whitelist of safe commands (
git,ls,date), adhering to the principle of least privilege and preventing arbitrary command execution. - [PROMPT_INJECTION]: The skill contains a surface for indirect prompt injection because it processes data from external sources to drive AI behavior.
- Ingestion points: The workflow reads data from
content/topics.ymland processes user-provided strings via thetopicinput inworkflow_dispatchevents. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are included when interpolating topics into the generation prompt.
- Capability inventory: The agent has permissions to write files to the repository and create pull requests using the
GITHUB_TOKEN. It also has restricted access to system tools through a controlled bash environment. - Sanitization: There is no evidence of sanitization or structural validation performed on the ingested topic strings before they are sent to the LLM.
Audit Metadata