join
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the 'patch manifest' data it processes.\n
- Ingestion points: External data enters the system through the 'patch-inbox' (defined in SKILL.md and scripts/build_cloud_join_prompt.py), which provides JSON manifests containing fields like 'intent_summary' and 'touched_entities'.\n
- Boundary markers: Analysis of assets/cloud-join-operator-prompt.md shows that manifest data is interpolated into the agent's context without clear delimiters or instructions to ignore potential instructions embedded within the text fields.\n
- Capability inventory: The skill utilizes the GitHub CLI (gh), including highly capable commands like 'gh api' and 'gh pr update-branch', which allow for broad repository mutations.\n
- Sanitization: While the assets/cloud-join-manifest.schema.json enforces data types and patterns (e.g., for repository names), it does not perform sanitization of the natural language fields that could be used to manipulate the agent's reasoning process.\n- [COMMAND_EXECUTION]: The skill operates by executing system commands through the GitHub CLI. Although SKILL.md mandates a 'gh-only' boundary, the 'gh api' command specifically enables arbitrary REST and GraphQL interactions with the GitHub API, representing a significant capability surface if the agent's instructions are compromised via indirect injection.
Audit Metadata