agent-issue-tracker
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes external data from GitHub issues (via mcp__github__get_issue, mcp__github__list_issues, mcp__github__search_issues) and possesses high-impact capabilities including Bash, Write, and agent orchestration. An attacker could embed malicious instructions in a GitHub issue that the agent might execute. Ingestion points: mcp__github__get_issue, mcp__github__list_issues, mcp__github__search_issues. Boundary markers: Absent. Capability inventory: Bash, Write, mcp__claude-flow__agent_spawn. Sanitization: Absent.
- [Command Execution] (HIGH): The skill uses a Bash tool to execute commands (e.g., gh issue create). The usage patterns show interpolation of variables like :owner/:repo and issue bodies into shell commands. If these inputs are derived from untrusted external issue content without strict validation, it facilitates command injection.
- [External Downloads] (LOW): The pre hook requires the GitHub CLI (gh) to be pre-installed and authenticated. This dependency on an external tool from a trusted source (GitHub) is categorized as LOW per TRUST-SCOPE-RULE.
Recommendations
- AI detected serious security threats
Audit Metadata