Skills
skills/rockclaver/systemcraft/plan-to-github-issues/Gen Agent Trust Hub

plan-to-github-issues

Warn

Audited by Gen Agent Trust Hub on May 6, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the GitHub CLI (gh) to perform several repository management tasks.
  • Evidence: Uses gh label create, gh issue create, and gh repo view to interact with GitHub repository metadata.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes user-controlled implementation plans from local files.
  • Ingestion points: Reads implementation plans from the plans/ directory (e.g., **/plans/plan-*.md).
  • Boundary markers: None identified. The skill does not instruct the agent to ignore or delimit embedded instructions within the plan files.
  • Capability inventory: The skill has the capability to write files via gh api, create issues, and define labels across the GitHub repository.
  • Sanitization: There is no mention of sanitizing or escaping the content read from the plan files before it is interpolated into issue bodies or workflow configurations.
  • [REMOTE_CODE_EXECUTION]: The skill generates and writes an executable GitHub Actions workflow (.github/workflows/ci.yml) to the repository.
  • Evidence: The skill explicitly instructs the agent to create a CI workflow that installs dependencies, runs database migrations, and executes tests. This involves dynamic generation of shell scripts and configuration files that control the repository's automated execution environment. Writing to the .github/workflows directory is a sensitive operation that could be leveraged to execute arbitrary code or exfiltrate secrets during CI runs.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 6, 2026, 08:33 AM