label-management

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill makes extensive use of shell scripts and loops to automate GitHub operations. These scripts interpolate variables derived from external sources (e.g., label names, issue numbers, file paths) directly into shell commands like gh label create "$name" and gh issue edit $issue. If these external values are maliciously crafted, they could potentially execute unintended shell logic depending on how the underlying execution environment handles the shell calls.
  • [DATA_EXFILTRATION]: The skill provides capabilities to read data from one repository and write it to another (cloning/syncing). This capability could be abused to exfiltrate repository metadata (labels, descriptions) to an attacker-controlled repository if the source or target repo parameters are manipulated.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests untrusted data from GitHub (labels, pull request file lists, etc.) and uses this data to drive logic and command construction without robust sanitization.
  • Ingestion points: Data enters the agent context through gh label list, gh api, gh issue list, and gh pr view commands (e.g., in SKILL.md under "Clone Labels" and "Auto-Label" sections).
  • Boundary markers: None. The scripts do not use delimiters or instructions to ignore embedded commands in the fetched data.
  • Capability inventory: The skill uses the gh CLI which has broad permissions for repository management, and shell execution via while and for loops.
  • Sanitization: The examples use basic shell quoting (e.g., "$name"), but do not include explicit validation, escaping, or sanitization for complex metadata fields that might contain shell metacharacters.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 10:35 AM
Security Audit — agent-trust-hub — label-management