worker-dispatch
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): Bash functions defined in SKILL.md, specifically 'extract_issue_context' and 'spawn_implementation_worker', use shell variables like '$issue' and '$TITLE' in command lines without consistent quoting. While some sanitization is applied to the slug, the use of unquoted variables in 'git' and 'gh' commands poses a risk of local command injection if the orchestrator passes unvetted strings.
- [PROMPT_INJECTION] (LOW): The skill facilitates Indirect Prompt Injection (Category 8). It fetches content from external GitHub issues (title, body, comments) and directly interpolates this data into the system instructions for spawned sub-agents. 1. Ingestion points: Data enters via 'gh issue view' in 'extract_issue_context'. 2. Boundary markers: Absent; the prompt uses basic Markdown headers which do not provide security isolation. 3. Capability inventory: Sub-agents have 'Bash' and GitHub tool access, allowing malicious instructions in an issue to potentially execute code or modify the repository. 4. Sanitization: No sanitization is performed on the 'ACCEPTANCE', 'HANDOVER', or 'PROGRESS' variables before interpolation.
Audit Metadata