github-triage
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted user-generated content from GitHub issues and pull requests.\n
- Ingestion points: The skill fetches titles and bodies using
gh issue listandgh pr listinSKILL.md.\n - Boundary markers: The prompt logic lacks explicit delimiters or instructions to treat the ingested GitHub content strictly as data, increasing the risk of the agent following instructions embedded in issues or PRs.\n
- Capability inventory: The agent can perform high-impact actions including
gh issue comment,gh issue close, andgh pr merge, and can read files usinggrep.\n - Sanitization: No sanitization or validation of the fetched external data is implemented before it is interpolated into the agent's context.\n- [COMMAND_EXECUTION]: The skill executes various
ghcommand-line interface tools to manage the repository.\n - The agent is instructed to run commands like
gh issue list,gh pr list,gh issue comment,gh issue close, andgh pr merge.\n - While these commands are central to the skill's purpose, they are executed based on the evaluation of untrusted data, which could lead to unintended actions if the agent's logic is compromised.
Audit Metadata