orchestration
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. External data from GitHub issue bodies and titles is fetched and directly interpolated into sub-agent prompts in Phase 4 without delimiters or sanitization. An attacker could embed malicious instructions in an issue to manipulate task agents. * Ingestion points: Issue details fetched via 'gh issue view' and GraphQL API in Phase 1. * Boundary markers: Absent; issue content is placed directly in the prompt block in Phase 4. * Capability inventory: Sub-agent execution via 'Task' tool, code pushes via Git, and PR creation via GitHub CLI. * Sanitization: The skill incorporates a consensus review phase (Phase 5) which acts as a validation step, but does not sanitize the input before agent execution.
- [COMMAND_EXECUTION]: The skill utilizes the GitHub CLI ('gh') and Git to perform its core functions. It executes commands to fetch issue details, create branches, and push code. These capabilities are intended for orchestration but increase the potential impact of an indirect prompt injection.
Audit Metadata