Skills
skills/everyinc/compound-engineering-plugin/ce-report-bug/Gen Agent Trust Hub

ce-report-bug

Pass

Audited by Gen Agent Trust Hub on Apr 23, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes several shell commands to gather diagnostic information and submit the report:
  • uname -a to collect OS details.
  • Platform-specific version commands like claude --version and codex --version.
  • gh issue create to interact with GitHub's CLI for issue submission.
  • [DATA_EXFILTRATION]: The skill collects technical metadata including OS information, plugin versions, and user-provided bug descriptions, then transmits this data to the vendor's GitHub repository (EveryInc/compound-engineering-plugin). This behavior is transparent and aligns with the primary purpose of technical support and bug tracking.
  • [PROMPT_INJECTION]: The skill exhibits an indirect injection surface by incorporating untrusted user input into the body of a GitHub issue.
  • Ingestion points: User responses gathered in Step 1.
  • Boundary markers: The bug report uses markdown headers and horizontal rules to delimit sections.
  • Capability inventory: Uses the gh tool for network-based issue creation and multiple shell commands for metadata collection.
  • Sanitization: None explicitly defined in the instructions; the agent is expected to format the collected strings into a markdown template.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 23, 2026, 02:55 PM