issue-flow
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill performs extensive command-line operations using
gitand the GitHub CLI (gh). These include repository exploration (gh repo view), issue retrieval (gh issue view), branch management (git checkout), worktree isolation (EnterWorktree), and pull request lifecycle management (gh pr create,gh pr checks,gh pr merge). - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted content from GitHub issue bodies, labels, and comments (
ISSUE_BODY,ISSUE_LABELS,comments). - Ingestion points: Data enters the context via
gh issue viewduring the preflight phase and is subsequently used by code-explorer and implementation agents. - Boundary markers: The skill uses HTML markers like
<!-- issue-flow-plan -->for comment idempotency but lacks explicit instructions to agents to ignore potentially malicious directions embedded in the issue text. - Capability inventory: The skill possesses significant capabilities, including file system modification, shell command execution, and the ability to spawn further agents.
- Sanitization: The skill uses shell-safe patterns (heredocs) for command construction, but there is no evidence of semantic sanitization of external text before it is used in technical planning.
- [EXTERNAL_DOWNLOADS]: The skill fetches data and metadata from GitHub's infrastructure. These operations are neutral and directed toward a trusted, well-known service necessary for the skill's primary function.
Audit Metadata