gh-issues
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). It instructs the agent to retrieve 'AI session context' from GitHub issue comments and 'continue from where you left off.' Since any user with repository access (or any user on a public repo) can post comments, an attacker can inject malicious instructions within the
<!-- AI-CONTEXT:START -->blocks. - Ingestion points:
SKILL.md(lines 88-91) andREADME.md(lines 40-43) usegh issue viewwithjqto extract comment bodies containing specific markers. - Boundary markers: The skill uses
<!-- AI-CONTEXT:START -->and<!-- AI-CONTEXT:END -->as delimiters, but lacks instructions for the agent to ignore or sanitize instructions found within these boundaries. - Capability inventory: The agent has capabilities to create/edit issues, create branches (
gh issue develop), and perform arbitrary API calls viagh api. - Sanitization: No sanitization or validation of the retrieved context is performed before the agent is told to resume work based on it.
- DATA_EXFILTRATION (LOW): The skill encourages 'AI session context storage' (Category 2) by uploading details like file paths, line numbers, and development decisions to GitHub comments. In public repositories, this exposes internal development state and local environment metadata (e.g.,
file.py:45) to the public, which may be undesirable for privacy or security reasons. - COMMAND_EXECUTION (SAFE): Use of the
ghCLI andxargsfor bulk operations is consistent with the skill's primary purpose and follows standard command-line patterns.
Audit Metadata