bugfix
Pass
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface by ingesting untrusted content from GitHub.
- Ingestion points: The 'gh issue view' command in Step 1 fetches the body of a GitHub issue and saves it to a local markdown file in '.qwen/issues/'. This content is authored by external users and is inherently untrusted.
- Boundary markers: While the skill uses a markdown template with horizontal rules ('---') to separate the issue body from reproduction/verification reports, it lacks explicit instructions to the agents to ignore or sanitize embedded instructions within the issue body.
- Capability inventory: The skill spawns a 'test-engineer' agent (Steps 2 and 4) with the authority to execute code and scripts ('node dist/cli.js', 'npm run build'). If a malicious issue body contains instructions that the agent follows during reproduction, it could lead to unauthorized actions.
- Sanitization: No sanitization, escaping, or validation is performed on the issue content before it is processed by the AI agents.
- [COMMAND_EXECUTION]: The skill executes several shell commands and project scripts ('mkdir', 'gh issue view', 'npm run build', 'npm run bundle', 'node dist/cli.js') as part of its standard workflow. These commands are executed in the local environment and their inputs (specifically the issue body and reproduction strategy) are influenced by external, untrusted data.
Audit Metadata