project-issues-batch
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the parsing of GitHub issue content.
- Ingestion points: External data enters the agent's context during Phase 1 (
gh issue view) and Phase 2 (dependency scanning), where issue titles, bodies, and comments are retrieved from GitHub repositories. - Boundary markers: There are no defined delimiters or 'ignore' instructions to prevent the agent from obeying malicious prompts embedded within the issue markdown.
- Capability inventory: The skill executes Git operations (
git checkout,git branch), GitHub CLI commands (gh pr create), and delegates tasks to theissue-to-implementationskill, which likely involves file system writes and code generation. - Sanitization: No sanitization or content filtering is implemented for the ingested issue data, allowing an attacker with write access to a GitHub issue to potentially influence the implementation behavior or branch naming via malicious instructions.
Audit Metadata