positron-intake-rotation
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Prompt Injection (LOW): The skill possesses a surface for indirect prompt injection because it processes data from external, untrusted sources.\n
- Ingestion points: The scripts
fetch_discussions.sh,fetch_intake_issues.sh, andsearch_related.shretrieve issue titles, descriptions, and discussion content from theposit-dev/positronrepository.\n - Boundary markers: The skill lacks explicit delimiters or system instructions to prevent the agent from following commands embedded in the fetched GitHub content.\n
- Capability inventory: The agent is empowered to fetch and search GitHub data and draft responses. While it lacks high-privilege system access, its output can be manipulated by malicious issue content.\n
- Sanitization: No sanitization or filtering is applied to the data retrieved via the GitHub CLI before processing.\n- Data Exposure & Exfiltration (LOW): The skill documentation directs the agent to interact with non-whitelisted external domains.\n
- Evidence:
references/intake_workflow.mdlinks to Jira (positpbc.atlassian.net), Google Sheets (docs.google.com), and Posit's own documentation site (positron.posit.co). These domains are not present on the trusted whitelist for network operations.
Audit Metadata