review-action
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill correctly identifies GitHub workflow files as a potential vector for indirect prompt injection. It mitigates this by treating parsed prompt text as untrusted input and requiring the agent to halt if instructions violate safety boundaries. Evidence: 1. Ingestion points: .github/workflows/*.yml. 2. Boundary markers: Explicit instructions to treat hosted prompt text as untrusted. 3. Capability inventory: Invokes secondary AI CLIs with restricted, read-only tools (git diff, gh pr view). 4. Sanitization: Requires manual inspection and deterministic planning before invoking models.
- [COMMAND_EXECUTION]: Employs local CLI tools (git, gh, claude, codex) using a least-privilege approach. It configures the Claude CLI with a strict allowlist of read-only tools and a blocklist for mutating tools to enforce a sandbox environment.
- [DATA_EXFILTRATION]: Safety boundaries strictly forbid reading, requiring, or printing GitHub Actions secrets. The skill is restricted to terminal-only output and prevents any mutation of the local environment or remote GitHub state.
Audit Metadata