deferred-finding
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is susceptible to indirect prompt injection as it ingests untrusted data from code reviews and incorporates it into automated GitHub commands.
- Ingestion points: Finding details and code evidence extracted from codebases (Step 3).
- Boundary markers: Uses quoted heredocs ('EOF') in shell commands (Step 4), which mitigates direct shell command injection but does not prevent the agent from following instructions embedded in the finding data.
- Capability inventory: Full access to GitHub issue management via the 'gh' CLI, including creating issues, adding labels, and posting comments.
- Sanitization: No explicit sanitization or validation of the ingested finding content is performed before it is used in CLI arguments.
- [Command Execution] (LOW): The skill relies on the 'gh' (GitHub CLI) tool to perform its primary functions. While 'gh' is a standard utility, the execution of shell commands based on interpolated external content is a known attack surface.
Audit Metadata