cnb-issue
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [SAFE]: No malicious patterns or security risks detected. The skill provides standard functionality for interacting with the CNB issue API using official endpoints and well-known libraries.
- [EXTERNAL_DOWNLOADS]: The skill uses the 'swagger-client' library from the official NPM registry to handle OpenAPI-based communication with the CNB platform.
- [CREDENTIALS_UNSAFE]: The skill correctly instructs users to provide credentials via the 'CNB_TOKEN' environment variable, avoiding hardcoded secrets and following standard security practices for API authentication.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes external content from the CNB API.
- Ingestion points: Issue titles, descriptions, and comments are fetched from the cnb.cool API in scripts/client.js.
- Boundary markers: Absent; there are no explicit delimiters or instructions to the agent to treat API data as untrusted.
- Capability inventory: The skill has write access to create and update issues/comments on the CNB platform.
- Sanitization: Absent; the CLI tool returns raw API data to the agent for processing.
Audit Metadata