github-kb
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing shell commands via the GitHub CLI (
gh) andgit. It performs operations such asgh repo clone,git clone, and various search/view commands (gh search repos,gh issue view, etc.) based on user input. - [EXTERNAL_DOWNLOADS]: The skill downloads external data and code by cloning GitHub repositories to the local directory
~/workspace/github-kb. This is a core feature of the skill used to build the local knowledge base. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) due to its data ingestion patterns.
- Ingestion points: External content enters the agent context through cloned repository files (e.g., READMEs, source code) and fetched GitHub metadata (issue/PR descriptions) via
SKILL.mdinstructions to "explore local copies" and "view repository details." - Boundary markers: There are no instructions to use delimiters or "ignore embedded instructions" warnings when processing the downloaded content.
- Capability inventory: The agent has the ability to execute shell commands, read/write local files, and perform further network searches, which could be exploited if malicious instructions in a repository are obeyed.
- Sanitization: The skill lacks sanitization or validation of the content retrieved from GitHub before the agent interprets it.
Audit Metadata