copilot
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions describe parsing user-provided inputs such as task descriptions and optional flags (--model, --effort) and interpolating them into a shell command line (
copilot -p). This pattern creates a potential surface for command injection if the platform implementation does not properly sanitize shell metacharacters in the task string or arguments. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it is designed to read and process untrusted data from the user's project environment.
- Ingestion points: Processes user-defined tasks and project source code (e.g., via
/copilot review src/auth/) defined in SKILL.md. - Boundary markers: No specific delimiters or instructions to ignore embedded agent commands in the ingested files are present.
- Capability inventory: Executes shell-based tasks via the GitHub Copilot CLI as specified in SKILL.md.
- Sanitization: No evidence of input validation or content filtering is provided in the skill instructions.
Audit Metadata