when-managing-github-projects-use-github-project-management

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to download and execute the claude-flow package with an unpinned @alpha tag. This creates a dependency on remote code that can change without notice, introducing supply chain risk.
  • [COMMAND_EXECUTION]: The workflow relies on the execution of multiple local shell scripts (e.g., scripts/github-api.sh, scripts/project-api.sh, scripts/team-capacity.sh) to perform tasks. This allows the skill to execute arbitrary logic on the host system.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from GitHub issues and comments to drive logic like triage, classification, and assignment.
  • Ingestion points: Fetches issue details and comments via scripts/github-api.sh fetch-issue in SKILL.md.
  • Boundary markers: No explicit delimiters or instructions are provided to the agents to ignore potential instructions embedded in the ingested content.
  • Capability inventory: The skill has broad capabilities, including writing to the GitHub API (creating releases and milestones) and sending data to Slack webhooks.
  • Sanitization: There is no evidence of filtering or sanitization of issue bodies or comments before they are interpreted by the agents.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 03:22 AM
Security Audit — agent-trust-hub — when-managing-github-projects-use-github-project-management