docs-check
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: Shell command injection vulnerability identified in the workflow. The script interpolates the
$ISSUE_IDvariable—which the instructions state is provided via the user prompt—directly into the bash commandbd show "$ISSUE_ID" --json. A malicious user could provide a crafted ID containing shell metacharacters (e.g.,$(rm -rf /)) to execute arbitrary code with the agent's privileges. - [COMMAND_EXECUTION]: The skill's use of the
Bashtool with capabilities to create directories, write files, and execute external commands (such asgitandbd) increases the potential impact of the command injection vulnerability.
Audit Metadata