triage
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data from GitHub issue bodies, comments, and pull request diffs. This creates a surface for indirect prompt injection where an attacker could embed malicious instructions in an issue report to influence the agent's behavior during triage or root cause analysis. \n * Ingestion points: Phase 1 (Issue Intake) and Phase 1b (PR Review Protocol) fetch data using
gh issue viewandgh pr viewin SKILL.md. \n * Boundary markers: No explicit delimiters or instructions to ignore embedded commands are specified when processing this data. \n * Capability inventory: The skill can execute shell commands (gh,git,grep), write to the local file system (Phase 5), and perform network operations viagh. \n * Sanitization: No sanitization or validation of the fetched issue/PR content is mentioned before it is processed by the AI.\n- [COMMAND_EXECUTION]: The skill executes several system commands to perform its tasks. It usesgit remote get-url originandgit logto interact with the local repository. It also uses the GitHub CLI (gh) to view, list, edit, and comment on issues/PRs, as well as to create new pull requests. Additionally, in Phase 5 (Auto-fix), it executestypecheck/buildcommands which are project-specific scripts that can run arbitrary code defined in the repository being triaged.
Audit Metadata