issue-driven
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on system commands (
git,gh) to perform its core functions, such as creating worktrees (git worktree add), managing branches, and modifying GitHub issue metadata (gh issue edit). While these are intended functionalities for a development tool, they involve direct system interaction based on programmatically generated strings derived from external data. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection vulnerability surface. 1. Ingestion points: Untrusted data enters the agent's context through issue body retrieval via the
gh issue viewcommand in the/issue updateand/issue worktreesubcommands. 2. Boundary markers: No explicit delimiters or instructions are used to separate issue content from system instructions, meaning the agent might treat content within an issue body as a command. 3. Capability inventory: The skill can perform file system operations (worktree creation), modify remote repository state (PR and issue edits), and call internal agent tools (code review via Codex). 4. Sanitization: No sanitization or validation of the retrieved issue body is performed before processing, allowing potentially malicious instructions to influence the agent's behavior.
Audit Metadata