process-issues
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its processing of external, untrusted data.
- Ingestion points: Untrusted data enters the agent's context via GitHub issue bodies (accessed via
gh issue listandgh issue view), pull request comments (gh pr view --comments), and external PRD (Product Requirements Document) files. - Boundary markers: Absent. The instructions do not specify the use of delimiters or provide warnings to the agent to ignore embedded instructions within the ingested issue or comment text.
- Capability inventory: The agent has broad capabilities, including arbitrary file modification (via the
code-implementationskill), shell command execution (git,gh), and network communication (git push, GitHub API interaction). - Sanitization: No sanitization or validation of the ingested content is performed before it is used to influence the agent's logic or construct shell commands, such as branch names or PR titles.
- [COMMAND_EXECUTION]: The skill relies heavily on shell command execution for its core functionality. It uses
gitfor worktree management, branch creation, and commits, andghfor managing GitHub issues, labels, and pull requests. While these are standard tools, the autonomous execution within a loop increases the risk surface if user-controlled strings (like issue titles) are interpolated into command lines without sufficient escaping. - [DATA_EXFILTRATION]: While the skill's primary purpose involves reading and writing to a repository, the combination of code-reading capabilities and network access (via
git push) creates a theoretical path for data exfiltration if the agent is compromised via indirect prompt injection (e.g., an attacker-controlled issue instructing the agent to commit a.envfile).
Audit Metadata