Skills
skills/dnyoussef/ai-chrome-extension/github-workflow-automation/Gen Agent Trust Hub

github-workflow-automation

Warn

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill documentation and examples frequently use npx to download and execute packages from the npm registry, specifically ruv-swarm and claude-flow@alpha. These tools originate from a vendor not recognized as trusted and are granted access to repository data.
  • [REMOTE_CODE_EXECUTION]: The skill uses npx to execute code directly from a remote package registry. Additionally, it includes a GitHub Action template that uses ruvnet/swarm-action@v1, which is an external dependency that executes code within the CI/CD environment.
  • [COMMAND_EXECUTION]: The skill involves executing complex shell commands that pipe output from the GitHub CLI (gh)—containing potentially sensitive repository data like pull request contents and logs—into third-party CLI tools.
  • [COMMAND_EXECUTION]: Several features, such as the "Self-Healing Pipeline" and "Smart Deployment," perform automated high-privilege operations including code fixes and deployment execution based on logic provided by unverified external swarm agents.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 2, 2026, 07:18 AM
Security Audit — agent-trust-hub — github-workflow-automation