Skills
skills/qverisai/qverisbot/gh-issues/Gen Agent Trust Hub

gh-issues

Pass

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: SAFEPROMPT_INJECTIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from GitHub issue bodies and PR review comments which could contain malicious instructions designed to manipulate the sub-agents' behavior.
  • Ingestion points: Fetches issue data and PR comments via the GitHub API (api.github.com).
  • Boundary markers: The skill uses XML-style tags like <issue> and <review_comments> to delimit external data within the sub-agent prompts.
  • Capability inventory: Sub-agents have permissions to write to the filesystem, execute git commands, run arbitrary test suites (e.g., npm test, pytest), and make network requests using curl.
  • Sanitization: No explicit sanitization or filtering of the ingested GitHub content is performed before interpolation into sub-agent prompts.
  • [CREDENTIALS_UNSAFE]: The skill accesses sensitive configuration files to retrieve authentication tokens.
  • Evidence: It reads from ~/.openclaw/openclaw.json and /data/.clawdbot/openclaw.json to extract the GH_TOKEN.
  • Credential usage: The token is used for GitHub API authentication and is embedded in Git remote URLs (https://x-access-token:$GH_TOKEN@github.com/...) for authenticated push operations. While necessary for the skill's functionality, this exposes the token to command-line history and environment variables within sub-agent sessions.
  • [COMMAND_EXECUTION]: The orchestrator and its spawned sub-agents execute a variety of system commands.
  • Evidence: Includes git operations (clone, branch, commit, push), curl for API interactions, and dynamic test execution (discovery and running of project-specific test suites).
  • Risk: Sub-agents are instructed to 'discover and run the existing test suite', which involves executing potentially arbitrary code defined in the target repository's configuration (e.g., Makefile, package.json).
  • [EXTERNAL_DOWNLOADS]: The skill communicates with external services to perform its tasks.
  • Evidence: Fetches data and configuration from GitHub's official API (api.github.com) and pushes code to GitHub repositories.
  • Messaging: Uses the message tool to send notifications to Telegram channels via the user-specified notify-channel.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 6, 2026, 01:22 AM