github-issue
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): Potential for Indirect Prompt Injection (Category 8). The skill ingests untrusted user requirements to define issue titles, labels, and bodies. * Ingestion points: User requirements collected in Workflow Step 1. * Boundary markers: None present. User-controlled strings are not delimited from the shell command template. * Capability inventory: Executes gh issue create via PowerShell (network and write capabilities). * Sanitization: Incomplete. The skill recommends here-strings for the body, which helps with formatting, but the {title} and {labels} fields are interpolated into double-quoted strings, making them vulnerable to PowerShell subexpression injection (e.g., using $(whoami) in a title).
- [COMMAND_EXECUTION] (MEDIUM): The skill generates and facilitates the execution of shell commands using externally sourced data. If an attacker provides inputs containing shell metacharacters, it could lead to the execution of arbitrary commands or unauthorized GitHub operations via the gh CLI context.
Audit Metadata