ghpm-work
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes untrusted content from GitHub issues to drive its workflow.\n
- Ingestion points:
references/clarify.mdandreferences/wrap-up.mdingest issue titles, bodies, and comments using theghCLI.\n - Boundary markers: No specific boundary markers or instructions are present to ensure the agent treats external issue content strictly as data rather than instructions.\n
- Capability inventory: The agent has access to the
Bashtool, allowing for file system modifications and execution of git and GitHub CLI commands.\n - Sanitization: There is no evidence of sanitization or filtering of the ingested external content before it is used to generate implementation plans or PR descriptions.\n- [COMMAND_EXECUTION]: Several CLI command templates in the skill interpolate variables into double-quoted shell strings, which may allow for command injection if the metadata (like issue titles) contains shell metacharacters.\n
- Evidence:
references/draft-pr.mdincludes the commandgh pr create --title \"<issue title>\", where the title is directly interpolated into the command line.\n - Evidence:
references/clarify.mdincludesgh issue edit <number> --body \"<improved body>\", which presents a similar risk depending on the shell environment's handling of nested expansion.
Audit Metadata