build
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it fetches untrusted data from GitHub issues to drive its execution logic.
- Ingestion points: Fetches issue descriptions and comments from an external source using
gh issue view $1 --comments. - Boundary markers: None identified. The skill does not use delimiters or instructions to prevent the agent from obeying commands embedded in the issue content.
- Capability inventory: The skill possesses significant capabilities, including executing shell commands (
gh,git,pnpm,open), reading/writing to the user's home directory (~/.claude,~/.agent), and delegating tasks to other agents. - Sanitization: None. Content from GitHub is directly used to inform the 'Delegate' loop without validation or escaping.
- [COMMAND_EXECUTION]: The skill uses the provided issue ID (
$1) directly in several shell commands (gh issue view,gh issue edit). This presents a surface for command injection if the input is not properly sanitized by the underlying execution environment. - [DATA_EXPOSURE]: The skill reads configuration and templates from
~/.claude/skills/visualize/and writes generated HTML to~/.agent/diagrams/. While these appear to be directories related to the agent's internal state, the access to the local home directory increases the impact of potential injection vulnerabilities.
Audit Metadata