ci-sentinel
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from GitHub pull requests and CI logs.
- Ingestion points: The skill retrieves PR lists and failure logs using the github-operations skill and the gh CLI, which are sources controllable by external contributors.
- Boundary markers: No specific delimiters or safety instructions are defined in the instructions to separate external data from the agent's core logic.
- Capability inventory: The agent possesses powerful tools including Bash, Write, and Edit, as well as access to GitHub operations.
- Sanitization: There is no mention of input sanitization or validation for the data being analyzed before it is passed to the LLM.
- [COMMAND_EXECUTION]: The skill facilitates automated shell execution via the Claude Code CLI in a headless GitHub Actions environment.
- It uses the Bash tool to perform diagnostic tasks based on external failure patterns identified in logs.
- While the dontAsk permission mode is configured to limit destructive actions, the agent still performs logic-driven operations based on potentially malicious input.
- [DATA_EXFILTRATION]: The skill's ability to read repository content and interact with the GitHub API presents a risk of sensitive data exposure.
- Information gathered during the automated debugging process could be inadvertently leaked in public PR comments or stored in the sentinel ledger file.
Audit Metadata