cross-repo
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
gh-managercommand-line interface, a tool associated with the vendor, to perform repository discovery, configuration reading, and file modifications. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8) by integrating external repository data into its decision-making and reporting flow.
- Ingestion points: Untrusted data enters the context via
gh-manager repos listand the results of individual repository health assessments. - Boundary markers: The skill lacks explicit delimiters or instructions to treat repository-sourced data as untrusted, which could allow malicious metadata (like repository names or health findings) to influence agent logic.
- Capability inventory: The skill possesses extensive write capabilities, including creating pull requests and making direct commits to the default branch (
main) for repositories classified in Tiers 1–3. - Sanitization: No evidence is provided that repository data is sanitized or validated before being used to generate commit messages or automated fixes.
Audit Metadata