github-notification-triage
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from GitHub notifications, creating a surface for indirect prompt injection.
- Ingestion points: GitHub notification content processed by scripts/github-notification-triage.py.
- Boundary markers: None. The skill does not use delimiters or instructions to ignore embedded commands in the notification data.
- Capability inventory: The agent has access to Bash, Read, and Write tools, which could be abused if the agent is manipulated by instructions inside a notification.
- Sanitization: No evidence of sanitization or filtering of the incoming notification data.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute a local Python script scripts/github-notification-triage.py. This is the primary mechanism for its functionality.
Audit Metadata