github-operations
Warn
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The documentation in
references/issue-management.mdrecommends the installation of a third-party extension (yahsan2/gh-sub-issue) to enable sub-issue support. This extension originates from an unverified personal repository, and installing unvetted extensions can lead to the execution of untrusted code within the environment. - [COMMAND_EXECUTION]: The skill provides numerous complex Bash automation scripts in
examples/automation-scripts.mdandreferences/that executeghCLI commands. These scripts dynamically construct command strings using variables (e.g., issue titles, labels, and numbers) fetched from external GitHub records, which represents a significant capability surface for command execution. - [PROMPT_INJECTION]: The skill is designed to ingest and act upon data from external, potentially attacker-controlled sources (GitHub issues, PR comments, commit messages), creating a surface for indirect prompt injection.
- Ingestion points: External data enters the agent context through
gh issue list,gh pr list, and variousgh apicalls documented acrossSKILL.md,references/, andexamples/automation-scripts.md. - Boundary markers: The instructions and scripts do not implement explicit delimiters or guidelines to ignore embedded instructions within the ingested GitHub data (absent).
- Capability inventory: The skill is granted extensive capabilities including
Bashfor command execution andWrite/Editfor file system modification, as defined inSKILL.mdand utilized in the automation rules. - Sanitization: Although the provided scripts use
jqto parse structured JSON fields, the raw text content (e.g., descriptions used for sub-task matching inrules/issue-tracking-automation.md) is processed without specific sanitization against embedded natural language instructions (limited to structural parsing).
Audit Metadata