triage
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted issue descriptions and comments from external trackers in
SKILL.md. It lacks boundary markers or sanitization, creating a surface for indirect prompt injection where malicious issue content could influence agent behavior. 1. Ingestion points: Issue bodies and comments read during the 'Gather context' step inSKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: Command execution for bug reproduction, file system writes to.out-of-scope/, and posting comments to the issue tracker API. 4. Sanitization: Absent. - [DYNAMIC_EXECUTION]: In the 'Reproduce (bugs only)' section of
SKILL.md, the agent is instructed to run tests or commands based on the reporter's provided steps. This creates a risk of arbitrary command execution if a malicious reporter provides a payload designed to exploit the agent's execution environment. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill combines the ability to read the codebase for context with the ability to write comments to an issue tracker. This capability chain could be exploited via indirect prompt injection to leak sensitive information or source code from the repository into public-facing issue comments.
- [PROMPT_INJECTION]: The 'Quick state override' section in
SKILL.mdinstructs the agent to trust specific user commands and bypass normal evaluation logic. While intended for maintainers, this pattern overrides standard safety checks for state transitions and workflow management.
Audit Metadata