team-collaboration-issue
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external GitHub issues.
- Ingestion points: The implementation playbook in
resources/implementation-playbook.mdinstructs the agent to fetch and process GitHub issue details and comments using the commandgh issue view $ISSUE_NUMBER --comments. - Boundary markers: No boundary markers, delimiters, or explicit instructions to ignore embedded directives are present to separate untrusted issue content from the agent's core instructions.
- Capability inventory: The agent has access to powerful tools including the
ghCLI (for API access, PR creation, and issue modification),git(for code modification and pushing to remotes), and testing frameworks likenpm testandpytestwhich can execute arbitrary code. - Sanitization: There is no evidence of sanitization or validation of the issue body or comments before they are used to define the implementation plan or goals.
- [COMMAND_EXECUTION]: The skill frequently guides the agent to execute shell commands using
git,gh,npm, andpytest. While these are expected tools for a developer agent, they provide a broad attack surface for malicious instructions injected through GitHub issues.
Audit Metadata