GitHub Actions Integration for Agentic Workflows
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The workflow templates establish an indirect prompt injection surface by processing data from external contributors without sufficient isolation.\n
- Ingestion points: Untrusted data enters the agent context through environment variables like
PR_TITLE,PR_AUTHOR,ISSUE_TITLE, andISSUE_BODYin theSKILL.mdworkflow definitions.\n - Boundary markers: The templates provided in the documentation do not use explicit boundary markers or delimiters (e.g., XML tags or unique string separators) to separate system instructions from user-provided content in the agent prompts.\n
- Capability inventory: The agents are granted write access to the repository, including the ability to post comments (
github.rest.issues.createComment), add labels (github.rest.issues.addLabels), and create pull requests (peter-evans/create-pull-request), which could be abused if the agent is successfully manipulated via injection.\n - Sanitization: There is no evidence of sanitization, filtering, or escaping logic being applied to the GitHub event data before it is passed as input to the agent scripts.\n- [COMMAND_EXECUTION]: The workflows are designed to execute various local scripts and management tools, such as
node scripts/agents/pr-analyzer.js,python scripts/agents/issue_triage.py, and themcpgateway tool. These processes run within the runner environment and have access to the repository's files and configured environment secrets.
Audit Metadata