epic-tracker
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes data from untrusted sources, creating an attack surface for indirect prompt injection.
- Ingestion Points: Data is ingested from user-pasted context (logs, error reports, PR links) in
references/bug.mdandreferences/issue.md, local documentation files inreferences/epic.md, and external APIs viareferences/sync.md. - Capability Inventory: The agent has the capability to write markdown files to the project directory and execute shell commands through CLI tools (
gh,linear,jira) or MCP servers. - Boundary Markers: The instructions do not specify the use of boundary markers or protective delimiters when interpolating ingested data into the prompt context.
- Sanitization: No explicit sanitization or validation of the external content is performed before it is used to generate or update artifacts.
- [COMMAND_EXECUTION]: The skill interacts with external trackers by executing commands through the GitHub CLI (
gh), Linear CLI, or Jira CLI, and their respective MCP servers. This behavior is documented and consistent with the skill's primary purpose. It includes a bootstrap process to verify tool existence before use. - [SAFE]: Configuration data, including tracker repository names and project keys, is stored in a local
.config.ymlfile. This follows standard practices for local tool configuration and does not include hardcoded credentials.
Audit Metadata