ghwf3-plan
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill contains the instruction "Execute immediately without confirmation:" regarding shell commands. This is an attempt to bypass standard safety constraints that require human-in-the-loop approval for sensitive or destructive actions.
- [COMMAND_EXECUTION]: The skill utilizes shell commands (
gh issue view,git add,git commit,git push) to modify and upload repository content. The lack of a confirmation step for thepushoperation is a high-risk pattern. - [DATA_EXPOSURE]: The skill reads from the user's home directory (
~/.claude/templates/03_PLAN.md). Accessing files outside the immediate project workspace, especially in hidden configuration directories, can lead to the exposure of sensitive templates or configuration data. - [DATA_EXFILTRATION]: By executing
git pushautomatically, the skill can send locally generated or modified files to a remote server without the user reviewing the content first. - [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: Fetches data from external GitHub issues (body and comments) via the
ghCLI tool. - Boundary markers: None present. There are no delimiters used to separate untrusted external content from the skill's own instructions.
- Capability inventory: Includes file system write access, local file reads, and remote repository write access (
git push). - Sanitization: None present. The skill analyzes the external codebase structure and issue comments directly to generate implementation plans without validation.
Recommendations
- AI detected serious security threats
Audit Metadata