gh-issue-fix-flow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to instructions embedded in GitHub issues or comments. (1) Ingestion points: Step 1.1 uses
gh issue viewto ingest external content. (2) Capability inventory: The agent can modify files (Step 3) and executegit push(Step 5.4). (3) Boundary markers: None are specified to separate instructions from data. (4) Sanitization: None. An attacker could submit an issue comment that tricks the agent into modifying the codebase maliciously during the 'fix' process. - [Command Execution] (MEDIUM): The skill executes build and test processes via XcodeBuildMCP based on the context of untrusted issue data. Evidence: Step 4. Risk: If an attacker successfully influences the code changes via indirect prompt injection, the subsequent build and test commands would execute the malicious code in the local environment.
Recommendations
- AI detected serious security threats
Audit Metadata