incubate
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides shell command templates that use direct string interpolation for user-provided variables, such as
URL="[URL]",NAME="[NAME]", andgh issue create ... --title "[TITLE]". This pattern is vulnerable to shell command injection; if a user provides input containing shell metacharacters (e.g., backticks,$(), or semicolons), the agent may execute unintended arbitrary commands. - [DATA_EXFILTRATION]: The combined presence of command injection vulnerabilities and access to network-capable tools (
gh,git,ghq) creates an exfiltration risk. An attacker could craft inputs that cause the agent to read local configuration files, SSH keys, or environment variables and transmit them to an external server via GitHub API calls or Git push operations. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data (repository contents, issue descriptions, and user-provided branch names) and processing it through automated workflows. There is a lack of explicit boundary markers or sanitization logic in the provided command templates to prevent embedded instructions in this data from influencing the agent's behavior.
- Ingestion points: Untrusted data enters via
[URL],[NAME],[TITLE],[DESCRIPTION], and[commit message]placeholders. - Boundary markers: Absent; user input is placed directly inside shell strings or markdown logs.
- Capability inventory: The skill can perform file system modifications (
mkdir,ln,rm,unlink), network operations (gh,git,ghq), and process management. - Sanitization: Absent; the instructions do not specify any validation, escaping, or filtering of user-supplied strings before they are interpolated into executable shell commands.
Audit Metadata