github-agentic-workflows
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The documentation includes instructions to download and execute an installation script directly from GitHub's official repository (github/gh-aw) as a standalone installer fallback. This follows the trust-scope rule for well-known services.
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to automate the processing of untrusted external content such as GitHub issues and pull request descriptions.
- Ingestion points: External data is ingested from the repository context via the github toolset.
- Boundary markers: The workflow template uses markdown structure to organize context, though it does not include explicit instruction-protection delimiters.
- Capability inventory: Executable capabilities include shell access (bash), network requests, and GitHub repository write operations through the safe-outputs mechanism.
- Sanitization: The skill documents and implements several mitigations, including strict network allowlists, GitHub lockdown mode for public repositories, and a safe-output pattern that gates repository writes behind a verification job.
- [COMMAND_EXECUTION]: The skill executes a local Node.js script (find-gh-aw-targets.mjs) provided with the skill to scan the workspace. It also utilizes the gh-aw CLI for core functions like compilation and validation.
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill provides procedures for managing sensitive authentication tokens such as COPILOT_GITHUB_TOKEN and ANTHROPIC_API_KEY. It emphasizes the use of network egress controls to prevent unauthorized data exfiltration.
Audit Metadata