cx-fix
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes external, untrusted content from GitHub Issues via 'gh' commands and user descriptions. \n
- Ingestion points: GitHub Issue body and user descriptions are fetched and processed in Step 1. \n
- Boundary markers: None. The skill does not isolate untrusted data from its operational instructions. \n
- Capability inventory: High-impact capabilities including file system modification (Step 3), shell command execution (Step 4), and repository management via git/gh (Steps 5-6). \n
- Sanitization: No sanitization or validation of the external content is performed before processing. \n- [Command Execution] (HIGH): The skill executes shell commands using unvalidated inputs. Specifically, it uses '' from external/user sources in 'gh' commands. This allows for command injection if the input is not strictly a numeric ID. Additionally, running test suites like 'npm test' or 'pytest' on code modified by the AI (influenced by untrusted issue content) creates a pathway for Remote Code Execution.
Recommendations
- AI detected serious security threats
Audit Metadata