github-workflow
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection attacks. It is designed to read and act upon data from external sources like GitHub PR comments, issue descriptions, and workflow logs. A malicious actor could embed instructions within these fields to trick the agent into performing unauthorized repository actions or bypassing internal logic.
- Ingestion points: Untrusted data enters via
gh pr(comments/bodies),gh issue, andgh run(logs). - Boundary markers: No explicit delimiters or instructions are provided to the agent to ignore embedded commands in the processed text.
- Capability inventory: The skill utilizes the
ghCLI which has extensive permissions to mutate repository state, manage releases, and execute workflows. - Sanitization: No evidence of input validation or sanitization is present in the skill instructions.
Audit Metadata