blitz
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8c) because it extracts requirements from external GitHub issues to instruct sub-agents.
- Ingestion points: Data enters the agent context via the
gh issue viewcommand used in Phase 3 ofSKILL.mdto extract issue requirements. - Boundary markers: The prompt template uses markdown formatting, but lacks explicit instructions to the sub-agent to ignore potential malicious directives embedded within the issue body.
- Capability inventory: The delegated agents are authorized to perform file system modifications, execute tests (
npm,cargo,node), and interact with the repository using theghCLI. - Sanitization: There is no evidence of escaping, filtering, or validation of the content retrieved from GitHub issues before it is interpolated into the agent prompts.
- [COMMAND_EXECUTION]: The skill makes extensive use of local command execution to manage the git lifecycle and GitHub integration.
- Evidence: Use of
git worktree,git rebase, andgit push --force-with-leasefor workspace management. - Evidence: Orchestration of the GitHub CLI (
gh) for PR creation, merging, and issue management. - Context: These operations are consistent with the skill's primary purpose as a development orchestration tool.
Audit Metadata