Skills
skills/yunseo-kim/awesome-agent-toolbox/github-triage/Gen Agent Trust Hub

github-triage

Pass

Audited by Gen Agent Trust Hub on Mar 3, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It programmatically fetches untrusted content from GitHub issues and pull requests, then interpolates this data directly into the system prompts of background subagents.
  • Ingestion points: In SKILL.md, the fetch phase retrieves the body and comments fields from repository items.
  • Boundary markers: The subagent prompt templates (e.g., SUBAGENT_ISSUE_BUG, SUBAGENT_PR_BUGFIX) lack any delimiters or instructions to ignore embedded commands within the {body} and {comments_summary} placeholders.
  • Capability inventory: Subagents are granted write permissions to the repository, including the ability to post comments, close issues, and merge pull requests using the gh CLI.
  • Sanitization: The skill performs no escaping or validation on the text retrieved from the external repository before passing it to the LLM.
  • [COMMAND_EXECUTION]: The skill uses the GitHub CLI (gh) to perform repository actions. While these are part of the intended functionality, the decision-making process for these commands relies on interpreting untrusted input strings, creating a risk of unauthorized repository modifications if the agent's logic is subverted.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 3, 2026, 03:50 PM