issue-lifecycle
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to read and process external, untrusted content from GitHub issues and comments which can lead to execution of malicious instructions embedded in the data.
- Ingestion points: The skill frequently reads issue bodies and comment history using
gh issue view [ISSUE_NUMBER] --json bodyandgh issue view [ISSUE_NUMBER] --comments. - Boundary markers: There are no delimiters or instructions provided to the agent to distinguish between its own logic and instructions that might be contained within the issue text.
- Capability inventory: The agent has the capability to modify repository state via
gh issue edit,gh issue comment, andgh project item-edit. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from GitHub before it is used to construct new issue bodies or influence logic.
- Command Execution (MEDIUM): The skill documentation provides shell script templates that interpolate untrusted data (e.g., the
BODYvariable) into command lines. If the content of the issue body contains shell metacharacters or command substitution patterns, it could lead to unexpected behavior depending on how the agent executes the provided bash snippets.
Recommendations
- AI detected serious security threats
Audit Metadata