repo-manager
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell and Node.js scripts bundled within the plugin directory.
- Evidence: Runs
bash ${CLAUDE_PLUGIN_ROOT}/scripts/ensure-deps.shto bootstrap the environment. - Evidence: Invokes
node ${CLAUDE_PLUGIN_ROOT}/helper/bin/gh-manager.jsfor repository classification, authentication verification, and label management. - [EXTERNAL_DOWNLOADS]: Initialization involves downloading external dependencies from the npm registry.
- Evidence: The
ensure-deps.shscript is documented as automatically installing npm dependencies on first run. - [CREDENTIALS_UNSAFE]: The skill manages and verifies sensitive GitHub Personal Access Tokens.
- Evidence: Uses the
auth verifycommand to checkGITHUB_PATand provides setup instructions to the user. - [PROMPT_INJECTION]: The skill processes untrusted data from GitHub repositories, creating a surface for indirect prompt injection.
- Ingestion points: Fetches repository labels and reads the
.github-repo-manager.ymlfile from target repositories (SKILL.md). - Boundary markers: No explicit markers or delimiters are defined to isolate untrusted configuration data from the agent's instructions.
- Capability inventory: The skill can perform file mutations (commits/PRs), update wikis, and manage repository labels (SKILL.md).
- Sanitization: No sanitization or validation logic is specified for the contents of retrieved configuration files or labels.
Audit Metadata