triage
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted input from an external issue tracker.
- Ingestion points: In SKILL.md, the 'Gather context' step instructions require reading the full issue body and comments from the reporter.
- Boundary markers: The instructions lack explicit boundary markers or directions to ignore instructions within the ingested issue content.
- Capability inventory: The skill can execute shell commands ('run tests or commands' in SKILL.md), read/write files in the .out-of-scope/ directory, and interact with the issue tracker API.
- Sanitization: There is no mention of sanitizing or validating the untrusted content before processing or using it in command execution.
- [COMMAND_EXECUTION]: The skill specifically instructs the agent to 'run tests or commands' to reproduce bugs identified in the issue tracker. This capability can be exploited if an attacker includes malicious command instructions in an issue report.
Audit Metadata