Skills
skills/matthew-andrews/skills/github-autonomous-worker/Gen Agent Trust Hub

github-autonomous-worker

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads untrusted content from external GitHub issues and comments.
  • Ingestion points: In SKILL.md, the agent is directed to use gh issue view <number> --comments to retrieve issue descriptions and comment history.
  • Boundary markers: No delimiters or safety instructions are provided to help the agent distinguish between task data and potentially malicious instructions embedded in the issue content.
  • Capability inventory: The skill explicitly grants the agent "full access to the gh CLI" and "all standard development tools," authorizing it to use "all available tools" during the implementation phase.
  • Sanitization: The instructions contain no logic for sanitizing or validating retrieved GitHub content before the agent processes it or executes commands based on it.
  • [COMMAND_EXECUTION]: The skill provides the agent with the ability to execute arbitrary commands using the local environment's development tools and the GitHub CLI. The instructions to operate "without asking the user any questions" and to suppress direct communication remove critical human-in-the-loop checkpoints, increasing the risk that commands influenced by malicious external input will be executed without review.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 03:27 AM
Security Audit — agent-trust-hub — github-autonomous-worker