issue-reply
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is susceptible to indirect prompt injection due to its automated handling of external data. Ingestion points: Phase 1 (Step 1 and 2) reads raw issue content and comments via the
gh issue viewcommand. Boundary markers: Absent; there are no instructions to the agent to distinguish between legitimate data and malicious embedded instructions. Capability inventory: Phase 5 performs a write operation usinggh issue comment, which can be subverted by an attacker. Sanitization: No content filtering or sanitization is performed on the ingested issue text. - [Command Execution] (LOW): The skill executes
gh(GitHub CLI) commands to interact with external repositories. While these are defined for legitimate purposes, they provide the execution surface for subverted agent reasoning.
Recommendations
- AI detected serious security threats
Audit Metadata