label-management
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of shell scripts and loops to automate GitHub operations. These scripts interpolate variables derived from external sources (e.g., label names, issue numbers, file paths) directly into shell commands like
gh label create "$name"andgh issue edit $issue. If these external values are maliciously crafted, they could potentially execute unintended shell logic depending on how the underlying execution environment handles the shell calls. - [DATA_EXFILTRATION]: The skill provides capabilities to read data from one repository and write it to another (cloning/syncing). This capability could be abused to exfiltrate repository metadata (labels, descriptions) to an attacker-controlled repository if the source or target repo parameters are manipulated.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests untrusted data from GitHub (labels, pull request file lists, etc.) and uses this data to drive logic and command construction without robust sanitization.
- Ingestion points: Data enters the agent context through
gh label list,gh api,gh issue list, andgh pr viewcommands (e.g., in SKILL.md under "Clone Labels" and "Auto-Label" sections). - Boundary markers: None. The scripts do not use delimiters or instructions to ignore embedded commands in the fetched data.
- Capability inventory: The skill uses the
ghCLI which has broad permissions for repository management, and shell execution viawhileandforloops. - Sanitization: The examples use basic shell quoting (e.g.,
"$name"), but do not include explicit validation, escaping, or sanitization for complex metadata fields that might contain shell metacharacters.
Audit Metadata