skills/dnyoussef/ai-chrome-extension/when-automating-github-actions-use-workflow-automation/Gen Agent Trust Hub
when-automating-github-actions-use-workflow-automation
Warn
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes frequent use of shell commands and local scripts to perform its tasks. It references several scripts that are not provided in the skill files, including
scripts/project-analyzer.sh,scripts/workflow-generator.sh,scripts/workflow-validator.sh,scripts/workflow-analytics.sh, andscripts/github-api.sh. These scripts are executed viabashand handle sensitive operations like repository analysis and API interaction. - [EXTERNAL_DOWNLOADS]: The skill instructions frequently invoke
npx claude-flow@alpha. This command downloads and executes theclaude-flowpackage from the npm registry at runtime. Using an alpha-stage package from a public registry introduces a supply chain risk, as the code is subject to change and its provenance is not verified within the skill. - [DATA_EXFILTRATION]: The skill utilizes
scripts/github-api.shto create pull requests and fetch workflow run data. This involves transmitting project information and potentially sensitive workflow logs to GitHub's infrastructure. It also manages secrets via an.secretsfile when using theacttool for local testing. - [REMOTE_CODE_EXECUTION]: The use of
npxto run remote packages combined with the execution of multiple unverified local shell scripts grants the skill significant control over the host environment. The logic involves dynamic task orchestration where agents can spawn further processes. - [INDIRECT_PROMPT_INJECTION]: The skill has a surface for indirect injection as it ingests and processes external data such as project structures, third-party workflow templates, and GitHub API responses (logs/metrics). While it includes some validation steps (e.g.,
workflow-validator.sh), the ingestion of untrusted external content remains an attack vector.
Audit Metadata