report-to-issues
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands by interpolating text extracted from markdown reports directly into
gh issue createandgh label createcommands. This pattern is vulnerable to command injection if report content includes shell metacharacters such as backticks, semicolons, or dollar signs. Mitigation: Use the GitHub API directly or ensure all strings are shell-escaped before interpolation.\n- [DATA_EXFILTRATION]: The skill reads local files from thedocs/directory and transmits their contents to GitHub. While this is the intended functionality for reporting, it involves exporting potentially sensitive local project data to an external issue tracker.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes content from external report files and uses that data to drive agent actions without clear separation of data and instructions.\n - Ingestion points: Local markdown files in
docs/evaluation/anddocs/security-audit/.\n - Boundary markers: No delimiters or instructions are used to tell the agent to ignore any commands or formatting embedded within the reports.\n
- Capability inventory: File system read access, shell command execution, and GitHub CLI interactions (list/create issues and labels).\n
- Sanitization: The skill does not specify any validation, escaping, or filtering of the content extracted from report files before processing. Mitigation: Use XML-style delimiters or triple backticks around external data with explicit 'ignore instructions' warnings.
Audit Metadata