user-story-implementer
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection. It retrieves task descriptions and "Acceptance Criteria" from GitHub Issue bodies and is explicitly instructed to fulfill them. A malicious actor with the ability to create or edit issues could inject instructions to exfiltrate environment variables, delete source code, or introduce vulnerabilities into the codebase.
- Ingestion points: GitHub Issue body content fetched via the
gh issue listcommand inSKILL.md. - Boundary markers: None. The instructions do not define delimiters for external content or warn the agent to ignore embedded instructions within the issue body.
- Capability inventory: The agent has broad capabilities including file system modification (implementing code), command execution (running tests,
git,gh), and network access viagit pushandgh pr create. - Sanitization: No sanitization or validation of the fetched issue content is performed before the agent processes it as instructions.
- [COMMAND_EXECUTION]: The skill relies on executing system commands using the GitHub CLI (
gh) and Git. This includes fetching data (gh issue list), modifying remote state (gh issue edit,gh pr create), and performing repository operations (git checkout,git add,git commit,git push). While these are intended functionalities, they provide the necessary primitives for an indirect prompt injection attack to have high impact.
Audit Metadata