fetching-github-issue
Warn
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using the GitHub CLI (
gh).\n - Evidence: In
subagents/issue-retriever.md, the agent is directed to construct and run commands likegh issue view <ISSUE_NUMBER> --repo <owner>/<repo>andgh apicalls using identifiers derived from user input.\n - Risk: There is a potential for command injection if the user-provided URL or identifiers contain shell metacharacters and the agent does not correctly sanitize or escape them before execution.\n
- Mitigation: The skill includes explicit instructions for the agent to validate input coordinates and normalize identifiers before performing any GitHub operations.\n- [PROMPT_INJECTION]: The skill processes untrusted data from an external source (GitHub), serving as a potential vector for indirect prompt injection targeting subsequent workflow steps.\n
- Ingestion points: The skill retrieves issue bodies and comments from the GitHub API using
gh(documented insubagents/issue-retriever.md).\n - Boundary markers: Output is structured according to a Markdown snapshot template (
subagents/issue-retriever-template.md).\n - Capability inventory: The agent has the ability to execute shell commands and write to the local filesystem (
docs/).\n - Sanitization: The skill mitigates structural confusion by instructing the agent to rewrite source Markdown headings (e.g.,
##) as bold labels to prevent them from colliding with the snapshot's reserved sections.\n - Risk: Malicious instructions embedded in GitHub issues or comments could influence the behavior of other agents that consume the generated artifact.
Audit Metadata