issue-triage
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses the $ARGUMENTS variable directly in shell commands (e.g., 'gh issue view $ARGUMENTS') without quotes or validation. This creates a potential shell command injection vector if the input is not strictly a numeric issue ID.\n- [PROMPT_INJECTION]: Indirect prompt injection surface identified. \n
- Ingestion points: The skill fetches untrusted data (issue title and body) from GitHub issues in SKILL.md (Step 2).\n
- Boundary markers: None present. The fetched content is processed by the agent without delimiters or instructions to ignore embedded commands.\n
- Capability inventory: Execution of local code via 'cargo test' and 'cargo run', repository modification via Git, and GitHub API interactions (PR creation, commenting).\n
- Sanitization: No sanitization is performed on the issue content before the agent analyzes it to reproduce bugs or implement fixes.\n- [COMMAND_EXECUTION]: The skill executes 'cargo test' and 'cargo run', running code from the local repository. This presents a risk if an attacker can influence the reproduction or fix steps to execute malicious code with the agent's privileges.\n- [COMMAND_EXECUTION]: The skill possesses high-privilege capabilities including 'git push' and 'gh pr create'. These could be exploited to introduce persistent malicious changes to a repository if the agent is compromised via indirect prompt injection.
Audit Metadata