gh-issue-to-pr
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs extensive shell command execution using git and gh (GitHub CLI) to manage repository state, branching, and pull requests.
- [PROMPT_INJECTION]: The skill ingests untrusted data from GitHub issues via gh issue view in SKILL.md. This creates a surface for indirect prompt injection. 1. Ingestion points: Issue title and body content are fetched into the agent context from external GitHub repositories. 2. Boundary markers: The instructions do not define clear delimiters or use safety instructions to separate issue content from system prompts. 3. Capability inventory: The agent has access to shell execution (gh, git) and the ability to modify local files. 4. Sanitization: There is no explicit sanitization or validation of the fetched issue content before it is used to guide the implementation workflow.
- [REMOTE_CODE_EXECUTION]: Step 4 of the workflow instructs the agent to run project checks (lint, test, build) relevant to changed code. This involves executing scripts or build tools defined within the cloned repository, which could lead to arbitrary code execution if the repository content is malicious.
Audit Metadata