executing-tasks-from-any-source
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to fetch content from GitHub issues and Johnny Decimal artifacts and pass that content directly into a multi-step implementation workflow. If an attacker controls the content of an issue or artifact, they can inject instructions to manipulate the agent's behavior during implementation steps.
- Ingestion points: GitHub issue body (extracted via
gh issue viewin Step 1) and Basic Memory artifact content (extracted viabasicmemory_read_notein Step 1). - Boundary markers: Absent. The skill does not define delimiters or wrap the fetched content in instructions that would prevent the agent from obeying embedded commands.
- Capability inventory: The workflow includes file system modification (via
using-git-worktrees), network operations (gh issue edit/comment), and a full implementation cycle involving technical analysis and execution. - Sanitization: While the
ARGUMENTS(issue numbers or IDs) are validated using regex, the content of the tasks fetched from the sources is not sanitized or filtered before being processed by the agent's reasoning engine. - Command Execution (LOW): The skill uses the GitHub CLI (
gh) and internal tools to automate workflow status updates. Although the inputs for these commands are validated by regex, the interaction with external CLI tools and the file system to implement tasks increases the risk if the primary task instructions are compromised.
Recommendations
- AI detected serious security threats
Audit Metadata