issue-driven
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local system commands using
gitandgh(GitHub CLI) to manage branches, worktrees, issues, and pull requests. These operations are essential for the skill's primary function and are driven by the user's workflow commands. - [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection by reading and processing content from external or local sources without adequate defenses.
- Ingestion points: In
SKILL.md, theupdateandreview codecommands ingest data from GitHub issue bodies (retrieved viagh issue view) and from local plan files located in.claude/plans/ordocs/plans/. - Boundary markers: Absent. The skill does not use specific delimiters or instructions to the agent to disregard potential commands or role-play attempts within the ingested text.
- Capability inventory: The skill can modify the local file system through
git worktree, change the state of remote GitHub repositories (editing issues, PRs, and labels), and interact with other AI agents via/ask codex. - Sanitization: Absent. Content from issues and plans is interpolated directly into outgoing prompts or command arguments.
- [DATA_EXFILTRATION]: The skill transmits local project information, including code diffs and development plans, to GitHub repositories to create or update issues and pull requests. This data transfer is a core component of the intended workflow but represents an outbound movement of local project data.
Audit Metadata