github-pr-workflow
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill includes logic in SKILL.md to automatically harvest GitHub tokens from existing local configuration files, specifically
~/.hermes/.envand~/.git-credentials, to authenticate API requests. - [COMMAND_EXECUTION]: The skill utilizes
python3 -cwithin SKILL.md and references/ci-troubleshooting.md to dynamically execute inline Python scripts for parsing JSON responses and processing CI status data. - [PROMPT_INJECTION]: The skill describes an 'Auto-Fix Loop Pattern' that processes external CI logs to drive code modifications, creating an indirect prompt injection vulnerability surface.
- Ingestion points: CI logs are downloaded from GitHub Actions via the API and stored in
/tmp/ci-logs/for processing (found in SKILL.md and references/ci-troubleshooting.md). - Boundary markers: Absent. The instructions do not specify any delimiters or safety warnings to separate external log content from agent instructions.
- Capability inventory: The skill utilizes file modification and git operations, including
patch,write_file,git commit, andgit push(documented in SKILL.md). - Sanitization: Absent. Logs are downloaded and catted directly into the context without validation or sanitization.
Audit Metadata