fix-issue
Warn
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to interact with the local filesystem, Git, and the GitHub CLI. It also suggests installing global dependencies likeportlessvianpm, which modifies the host system environment.- [PERSISTENCE_MECHANISMS]: Utilizes theCronCreatetool to establish recurring background tasks for monitoring Pull Request status. While functional for the developer workflow, this creates persistent background execution that remains active across agent sessions.- [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from GitHub issue titles, bodies, and comments viagh issue view. This data is passed as context to multiple specialized sub-agents (investigators, architects, designers) without explicit boundary markers or sanitization, creating a surface for indirect prompt injection. - Ingestion points: GitHub issue metadata and content via
gh issue view(Phase 1). - Boundary markers: None identified; untrusted data is interpolated directly into prompts for sub-agents.
- Capability inventory: Sub-agents have access to
Bash,Read,Write,Edit, andCronCreatetools. - Sanitization: No evidence of input filtering or escaping for external content.- [EXTERNAL_DOWNLOADS]: The skill triggers the installation of external tools from the NPM registry (
portless) and fetches content from GitHub's remote API, involving interaction with external networks and code sources.
Audit Metadata