creating-github-child-issues
Warn
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to derive variables (
OWNER,REPO,PARENT_NUMBER) from the user-providedISSUE_URLand use them directly in shell commands. For example, insubagents/task-issue-creator.md, the agent is told to rungh issue view <PARENT_NUMBER> --repo OWNER/REPOandgh api repos/OWNER/REPO/issues/PARENT_NUMBER/sub_issues. If theISSUE_URLcontains shell metacharacters and the agent's parsing logic is insufficiently robust, this pattern could lead to arbitrary command execution on the host system. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from local markdown files to drive its core logic.
- Ingestion points: The subagent
task-issue-creator.mdreads task definitions and implementation notes fromdocs/<ISSUE_SLUG>-tasks.md. - Boundary markers: There are no explicit boundary markers or instructions to treat the content of the task sections as untrusted text; the agent extracts content based on headings.
- Capability inventory: The skill possesses significant capabilities, including the ability to create and view GitHub issues via the
ghCLI and the ability to modify local files in thedocs/directory. - Sanitization: There is no mention of sanitizing or validating the content extracted from the plan file before it is interpolated into GitHub issue bodies or used to update local artifacts, allowing potentially malicious instructions in the plan to influence the agent's actions.
Audit Metadata