Skills
skills/firecrawl/openclaw/gh-issues/Gen Agent Trust Hub

gh-issues

Pass

Audited by Gen Agent Trust Hub on Apr 18, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it interpolates untrusted GitHub issue content into the task prompt for sub-agents. This allows an attacker to control the sub-agent's behavior via a malicious issue body.
  • Ingestion points: Fetches GitHub issue content (title, body) from the SOURCE_REPO in Phase 2 and Phase 5.
  • Boundary markers: The untrusted issue content is wrapped in <issue> XML-style tags in the sub-agent prompt, but there are no explicit instructions for the sub-agent to ignore potential commands within that content.
  • Capability inventory: Sub-agents have extensive capabilities across multiple files, including filesystem access (reading/writing code), git command execution (branch creation, commits, pushing to remotes), and network access via curl with the GH_TOKEN for interacting with the GitHub REST API.
  • Sanitization: No sanitization, validation, or escaping is performed on the issue content before it is interpolated into the prompt.
  • [COMMAND_EXECUTION]: The skill uses dynamic shell execution and node -e scripts to parse platform-specific configuration files (/data/.clawdbot/openclaw.json) and extract sensitive environment variables like GH_TOKEN for use in API calls and git operations.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 18, 2026, 12:42 PM