issue-decomposition
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8). It instructs the agent to read and analyze external GitHub issues, which are attacker-controlled sources.
- Ingestion points: The skill reads the 'Parent Issue' body and title in Step 1 to identify work units.
- Boundary markers: Absent. There are no delimiters or instructions to the agent to treat the issue content as data rather than instructions.
- Capability inventory: The skill is granted
mcp__github__*permissions, enabling it to create issues, edit issues, and modify project boards. - Sanitization: Absent. The process encourages the agent to 'copy or derive' criteria and descriptions directly from the untrusted parent issue into new issues.
- [COMMAND_EXECUTION] (MEDIUM): The skill's instructions involve constructing and executing
ghCLI commands using variables (titles, bodies) derived from untrusted external input. If the underlying MCP implementation or shell environment does not strictly sanitize these inputs, it could lead to command injection or unauthorized repository manipulation.
Recommendations
- AI detected serious security threats
Audit Metadata