bonfire-start
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill fetches issue and PR data from GitHub and Linear which is then processed by the agent. 1. Ingestion points: gh pr view, gh issue view, and linear issue view commands in SKILL.md. 2. Boundary markers: No specific delimiters or instructions are used to separate fetched content from the system prompt. 3. Capability inventory: Bash (git, gh, linear, mkdir), Write, Read, and Glob tools. 4. Sanitization: No evidence of sanitization of fetched external content before it is incorporated into the session context.
- REMOTE_CODE_EXECUTION (HIGH): The skill modifies .claude/settings.json to install automated shell hooks (PreCompact and PostToolUse). These hooks execute shell commands that incorporate tool inputs, creating a persistent risk of command injection if tool inputs are manipulated.
- COMMAND_EXECUTION (MEDIUM): The skill requests broad wildcard permissions for the Bash tool (e.g., Bash(git:), Bash(gh:)), which violates the principle of least privilege.
Recommendations
- AI detected serious security threats
Audit Metadata