github-ops
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from an external source (GitHub) that could contain malicious instructions for the agent.\n
- Ingestion points: Multiple functions in index.js, such as getFileContent, getIssue, listComments, and listPullRequests, retrieve raw content from GitHub repositories which can be controlled by third-party contributors.\n
- Boundary markers: The skill does not implement delimiters or specific instructions to help the agent distinguish between its own system prompts and the data fetched from the API.\n
- Capability inventory: The skill provides powerful write capabilities, including modifying repository files (createOrUpdateFile), triggering automation (triggerWorkflowDispatch), and managing issues/PRs, which an attacker could attempt to exploit via injected instructions.\n
- Sanitization: Data retrieved from the API is returned to the agent without validation or sanitization of its content.\n- [DATA_EXFILTRATION]: The internal API request helper contains logic that could be misused to exfiltrate the authentication token.\n
- Evidence: In index.js, the githubApi function allows the endpoint parameter to override the base URL if it starts with 'http'.\n
- Impact: Since this function automatically attaches the GH_TOKEN to the request headers, an agent tricked into calling this helper with a non-GitHub URL would inadvertently send the user's secret token to an untrusted external server.
Audit Metadata