scan-issues
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to indirect prompt injection via external GitHub issue data.
- Ingestion points: External data enters the agent context via the
gh issue listcommand, which retrieves issue titles, labels, and potentially descriptions. - Boundary markers: Absent. The instructions do not define any delimiters or system-level constraints to prevent the agent from obeying instructions embedded within the issue text.
- Capability inventory: While the skill itself focuses on analysis and reporting, it is explicitly designed to guide 'Claude Code', an agent with extensive file-system modification and terminal execution capabilities. Content from issues could deceive the agent into recommending or performing malicious actions.
- Sanitization: Absent. There is no evidence of sanitization, filtering, or validation of the untrusted strings returned by the GitHub CLI.
- PROMPT_INJECTION (LOW): The skill contains a direct instruction ('IMPORTANT: ... automatically exit...') intended to override the agent's default operational flow based on context. While not a security bypass, it is a form of hardcoded instruction injection.
- COMMAND_EXECUTION (LOW): The skill executes shell commands using the GitHub CLI (
gh). This is a standard functional requirement for the skill's stated purpose but represents a local execution surface.
Recommendations
- AI detected serious security threats
Audit Metadata