github-issues
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill attempts to locate and extract GitHub authentication tokens by reading sensitive local files including
~/.git-credentialsand~/.hermes/.env. While this is intended to provide the necessary authorization for API requests toapi.github.com, it involves the exposure of credentials to the agent's execution environment. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface due to the processing of untrusted data from external GitHub repositories.
- Ingestion points: Untrusted data enters the agent context through the output of
gh issue list,gh issue view, and equivalentcurlcommands inSKILL.mdwhich fetch issue titles, bodies, and comments. - Boundary markers: The instructions lack explicit boundary markers or warnings to the agent to ignore instructions embedded within the processed issue data.
- Capability inventory: The skill has the capability to execute shell commands (
gh,curl), perform network operations to GitHub, and process data usingpython3across the mainSKILL.mdfile. - Sanitization: There is no evidence of sanitization or filtering applied to the external content before it is presented to the agent, allowing raw user-generated content from issues to be interpreted as part of the context.
Audit Metadata