tackle-issues
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by ingesting untrusted data from local files and interpolating it into agent instructions.\n
- Ingestion points: Markdown files located in the
issues/directory are read and passed verbatim to subagents as described inSKILL.mdandSUBAGENT_PROMPT.md.\n - Boundary markers: While markdown backticks are used as delimiters in the subagent prompt template, there are no instructions to ignore or treat the content as untrusted data.\n
- Capability inventory: Subagents are granted broad capabilities, including shell access for tests/linting, file system manipulation, and git command execution.\n
- Sanitization: No sanitization, filtering, or escaping is applied to the issue content before it is processed by the subagent.\n- [COMMAND_EXECUTION]: The instructions for the subagent explicitly require it to discover and execute commands defined in project manifest files (e.g.,
package.json,Makefile,Cargo.toml). This allows for the execution of arbitrary shell commands if the repository content is maliciously crafted.
Audit Metadata