implement
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it parses and acts upon logic, acceptance criteria, and commands provided in external markdown files within the
./issues/directory. - Ingestion points: The agent reads content from
./issues/<feature>/NN-slug.mdto guide its implementation and verification steps. - Boundary markers: There are no explicit delimiters or instructions to the LLM to ignore potentially malicious embedded prompts within the issue files.
- Capability inventory: The skill has the ability to modify the filesystem, create new files, and execute arbitrary shell commands.
- Sanitization: The skill does not validate or sanitize the instructions or the verification commands extracted from the issue files before processing or executing them.
- [COMMAND_EXECUTION]: The skill automatically executes shell commands specified in the
## Verificationsection of the issue files and commands found inCLAUDE.md. Since these commands are user-controlled or derived from repo data, an attacker who can modify an issue file could achieve arbitrary command execution on the system running the agent.
Audit Metadata