github-issue-fix
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and acts upon content from external GitHub issues.
- Ingestion points: The skill uses
gh issue viewto retrieve the full description and metadata of GitHub issues and processes data passed via$ARGUMENTS(SKILL.md). - Boundary markers: There are no delimiters or specific instructions to the agent to treat the issue content as untrusted or to ignore any embedded instructions within the issue body.
- Capability inventory: The agent has the ability to perform sensitive operations including creating git branches, committing changes, pushing to remote repositories, and creating Pull Requests. It also executes local commands for testing and linting (SKILL.md).
- Sanitization: No sanitization, validation, or filtering of the fetched issue content is performed before it is used to influence the agent's planning and execution steps.
- [COMMAND_EXECUTION]: The skill directs the agent to execute arbitrary test and linting suites found within the repository (SKILL.md). While standard for development workflows, this execution capability could be leveraged if an attacker successfully influences the agent's behavior via a malicious GitHub issue or if the repository contains malicious test scripts.
Audit Metadata