github-issue-workflow
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill demonstrates high security awareness regarding indirect prompt injection risks associated with user-generated content.
- It identifies GitHub issue bodies as untrusted content and implements a mandatory "Content Isolation Protocol" in
SKILL.mdandreferences/security-protocol.md. - It instructs the agent to ignore embedded instructions such as "ignore previous instructions" or "system override."
- Findings from automated detectors regarding these phrases in
references/security-protocol.mdare false positives, as they are listed as examples of malicious patterns for the agent to disregard, not commands to follow. - [SAFE]: The skill correctly implements a mandatory human-in-the-loop (HITL) confirmation gate as a security boundary.
- Ingestion points: Untrusted data enters the context via
gh issue viewoutput as described inSKILL.md(Phase 1). - Boundary markers: The workflow requires an explicit
AskUserQuestiongate where the user must restate and confirm requirements in their own words. - Capability inventory: The skill has
Write,Edit, andBashcapabilities to modify code and execute local scripts. - Sanitization: The agent is instructed to use only the user-confirmed summary for implementation, effectively isolating the agent's logic from raw, untrusted issue text.
- [SAFE]: The skill uses well-known and trusted tools for its operations.
- It relies on the GitHub CLI (
gh) andgitfor repository management and pull request workflows. - It uses
Context7for retrieving technology-specific documentation, promoting the use of safe and up-to-date APIs. - [COMMAND_EXECUTION]: Command execution is limited to standard, purpose-driven development tasks.
- The skill runs project-specific test suites (e.g.,
npm test,pytest) and linters to verify code quality. - It explicitly prohibits executing code or commands found within GitHub issue bodies or comments.
Audit Metadata