epic-tracker

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [INDIRECT_PROMPT_INJECTION]: The skill processes data from untrusted sources, creating an attack surface for indirect prompt injection.
  • Ingestion Points: Data is ingested from user-pasted context (logs, error reports, PR links) in references/bug.md and references/issue.md, local documentation files in references/epic.md, and external APIs via references/sync.md.
  • Capability Inventory: The agent has the capability to write markdown files to the project directory and execute shell commands through CLI tools (gh, linear, jira) or MCP servers.
  • Boundary Markers: The instructions do not specify the use of boundary markers or protective delimiters when interpolating ingested data into the prompt context.
  • Sanitization: No explicit sanitization or validation of the external content is performed before it is used to generate or update artifacts.
  • [COMMAND_EXECUTION]: The skill interacts with external trackers by executing commands through the GitHub CLI (gh), Linear CLI, or Jira CLI, and their respective MCP servers. This behavior is documented and consistent with the skill's primary purpose. It includes a bootstrap process to verify tool existence before use.
  • [SAFE]: Configuration data, including tracker repository names and project keys, is stored in a local .config.yml file. This follows standard practices for local tool configuration and does not include hardcoded credentials.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 06:44 PM
Security Audit — agent-trust-hub — epic-tracker