gh-issues
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by processing untrusted data from GitHub. \n
- Ingestion points: Phase 2 (GitHub issues) and Phase 6 (PR review comments and body content). \n
- Boundary markers: External content such as issue bodies and comments is interpolated into sub-agent prompts without delimiters or instructions to ignore embedded commands. \n
- Capability inventory: Spawned sub-agents possess significant capabilities, including repository modification via
git, network communication viacurl, and the ability to execute code via test runners. \n - Sanitization: No validation or sanitization of external GitHub content is performed before processing. \n- [REMOTE_CODE_EXECUTION]: The skill orchestrates sub-agents that generate and execute code based on untrusted inputs. Evidence: Phase 5 and Phase 6 involve agents implementing code fixes and running test suites on modified codebases. \n- [CREDENTIALS_UNSAFE]: The skill accesses local files to retrieve sensitive authentication tokens. Evidence: Phase 2 and sub-agent prompts read from
~/.openclaw/openclaw.jsonand/data/.clawdbot/openclaw.jsonto extract theGH_TOKEN. \n- [COMMAND_EXECUTION]: Utilizes system utilities includingcurlfor API interaction,gitfor repository management, andnode -efor configuration parsing. \n- [EXTERNAL_DOWNLOADS]: Interacts with the GitHub REST API (api.github.com), which is a well-known service expected for the skill's primary functionality.
Audit Metadata