convert-github-issue-to-discussion
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it reads external, attacker-controlled content from GitHub issues and executes actions based on that content using an authenticated session.
- Ingestion points: The agent ingests untrusted data from GitHub issue titles, bodies, and comments via
agent-browser snapshot -iin steps 2, 4, and 6. - Boundary markers: There are no boundary markers or instructions telling the agent to ignore embedded commands within the issue content.
- Capability inventory: The skill uses
agent-browserto perform state-changing actions (click, select) on GitHub, effectively possessing repository write permissions. - Sanitization: No sanitization or validation is performed on the data retrieved from the browser snapshot before the agent uses it to identify interaction targets.
- COMMAND_EXECUTION (MEDIUM): The skill relies on
agent-browser, an external and unverifiable command-line tool, to perform all browser automation tasks. The tool's origin and safety cannot be verified from the provided markdown. - DATA_EXFILTRATION (LOW): While no explicit exfiltration to a third party is present, the skill explicitly instructs the agent to maintain an open, authenticated browser session ('Cleanup' section), which increases the window of risk for session hijacking or unauthorized automated actions.
Recommendations
- AI detected serious security threats
Audit Metadata