Skills
skills/ykdojo/claude-code-tips/gha/Gen Agent Trust Hub

gha

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • PROMPT_INJECTION (HIGH): The skill possesses a significant attack surface for Indirect Prompt Injection.
  • Ingestion points: It ingests untrusted external content from GitHub Actions logs and Pull Request titles/descriptions via the gh CLI.
  • Capability inventory: It performs complex reasoning over this data to generate root cause hypotheses and actionable recommendations (e.g., 'Recommendation' section).
  • Boundary markers: There are no boundary markers (like XML tags or specific delimiters) used to separate the instructions from the untrusted log data being analyzed.
  • Sanitization: No sanitization or filtering is performed on the retrieved logs or PR metadata before processing.
  • Risk: An attacker can control the content of workflow logs (e.g., by submitting a malicious PR that prints specific strings). These logs could contain instructions that trick the agent into providing false root cause analyses or recommending malicious commands to the user.
  • COMMAND_EXECUTION (LOW): The skill explicitly requires and uses the gh CLI to interact with GitHub.
  • Evidence: Uses gh run list, gh run view, and gh pr list commands.
  • Risk: While the prompt focuses on read operations, the agent's actual capability depends on the permissions of the GH_TOKEN in the environment. If the token has write access, it increases the potential impact of a successful prompt injection.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 08:48 AM