supervisor
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
gitandgh(GitHub CLI) commands to manage the development cycle, including creating git worktrees, checking out branches, merging pull requests, and managing labels. - [EXTERNAL_DOWNLOADS]: The skill automatically performs package installation using
bun installornpm installwhen setting up its worktree. This is a standard development workflow that downloads dependencies from external registries. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it reads and acts upon content provided by external users in GitHub issues and PR comments.
- Ingestion points: Untrusted data enters the agent context through pull request descriptions (
gh pr view), issue bodies (gh issue view), and API responses for PR comments. - Boundary markers: The skill does not implement boundary markers or instructions to the agent to ignore potentially malicious directions embedded in the fetched issue or PR text.
- Capability inventory: The skill possesses significant capabilities, including the ability to execute shell commands, write to the local filesystem (via implementation tools), and modify remote repository states (merging/closing PRs).
- Sanitization: There is no evidence of sanitization, validation, or filtering of the content retrieved from GitHub before it is processed by the agent.
Audit Metadata