spec
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes system commands and CLI tools including
gh,codex,thinktank, andopen.- [COMMAND_EXECUTION]: Dangerous interpolation of untrusted data into shell commands occurs in multiple phases. In 'Quick Mode', the skill constructs acodex execcommand using problem descriptions and user roles derived directly from GitHub issues. In the 'Visual Deliverable' phase, theopencommand uses a filename constructed from a{feature}variable. If these inputs contain shell metacharacters (e.g., semicolons, backticks, or pipes), they could facilitate unauthorized command execution outside the intended scope.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) where malicious instructions embedded in GitHub issue comments could influence the agent's behavior or the generated output. - Ingestion points: Fetches untrusted external data using
gh issue view $1 --commentsin both Exploration and Quick modes. - Boundary markers: Absent. The skill lacks clear delimiters or explicit instructions to the agent to disregard instructions embedded within the ingested issue content.
- Capability inventory: Includes file system writes (
~/.agent/diagrams/), network operations via GitHub CLI (gh issue comment,gh issue edit), and execution of secondary logic viacodexandthinktank. - Sanitization: Absent. There is no evidence of validation, filtering, or escaping of the ingested issue text before it is used for command construction or spec generation.
Audit Metadata