review
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill parses untrusted data from external GitHub issue bodies and comments to extract logic, file paths, and acceptance criteria. This represents an indirect prompt injection surface where a malicious issue could attempt to influence the agent's validation logic or suggested remediation actions.
- Ingestion points: GitHub issue data retrieved via
gh issue viewin Step 3 and parsed in Step 4. - Boundary markers: None explicitly used to wrap or delimit the untrusted issue content during processing.
- Capability inventory: The skill can perform write operations on the repository, including
gh issue edit,gh issue close, andgh issue commentas described in Step 10. - Sanitization: The skill uses quoted heredocs (
<<'ISSUE_BODY_END') when writing content back to GitHub to prevent shell interpolation of the issue body, but it does not sanitize the logical content parsed from the issue. - Mitigation: The instructions explicitly state 'Never modify an issue without explicit user approval' and require the use of
AskUserQuestionbefore performing any destructive actions. - [COMMAND_EXECUTION]: The skill utilizes the GitHub CLI (
gh) for repository management tasks. While these are documented and intended for the skill's purpose, they grant the agent the ability to modify issue states, bodies, and comments based on its analysis of the codebase.
Audit Metadata