dev-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted data and possesses write/execute capabilities.
- Ingestion points: The workflow reads issue details from external sources using
mcp__gitea__get_issue_by_index,mcp__MCP_DOCKER__get_issue, andgh issue view(File: SKILL.md). - Capability inventory: The agent can execute shell commands (
git,cp,npm, etc.), modify the filesystem, and push changes to remote repositories. - Boundary markers: None. There are no instructions to help the agent distinguish between its own instructions and potentially malicious instructions embedded in the issue body.
- Sanitization: None. External content is interpolated directly into the workflow context.
- [EXTERNAL_DOWNLOADS] (MEDIUM): Dependency on unverifiable external tools. The skill requires
Codex CLIandOpenCode(File: SKILL.md). These tools are not from the Trusted External Sources list, and their execution (codex review,opencode -p) represents an unverified dependency risk. - [COMMAND_EXECUTION] (MEDIUM): Execution of arbitrary project commands. In Step 6, the skill executes project-specific test commands like
npm testorxcodebuild test. If an attacker has compromised the repository's configuration files (e.g.,package.json), this results in arbitrary command execution when the agent attempts to run tests.
Recommendations
- AI detected serious security threats
Audit Metadata