issue-decomposition
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted data from external sources (GitHub issue bodies) and uses it to drive agent decisions and tool outputs.
- Ingestion points: The parent issue analyzed in 'Step 1' of the decomposition process.
- Boundary markers: Absent. The instructions do not include delimiters or specific guidance to the agent to ignore instructions embedded within the parent issue body.
- Capability inventory: The skill utilizes
gh issue create,gh issue edit, andgh project item-add. This allows an attacker to potentially trick the agent into creating spam issues, performing unauthorized edits, or exfiltrating data into issue descriptions. - Sanitization: Absent. The skill explicitly suggests copying 'Acceptance Criteria' directly from the parent into sub-issues in 'Step 3'.
- Command Injection (MEDIUM): The skill templates demonstrate shell command execution (
gh issue create --body "...") using strings derived from external content. - Evidence: In 'Step 3', external content is interpolated directly into command arguments. If the agent or the underlying shell executor does not correctly escape shell metacharacters (e.g., backticks, dollar signs), an attacker could execute arbitrary code on the runner by crafting a malicious parent issue.
Recommendations
- AI detected serious security threats
Audit Metadata