deerflow-maintainer-orchestrator

Pass

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from GitHub issues and pull requests to generate automated responses.
  • Ingestion points: Untrusted data enters the agent context through gh issue view, gh pr view, and gh api calls that fetch issue bodies, PR descriptions, and comments.
  • Boundary markers: The instructions lack explicit delimiters or instructions to the model to ignore potentially malicious embedded commands within the fetched artifact content.
  • Capability inventory: The skill has the capability to perform repository operations, including fetching remote code and posting public comments or reviews via the gh CLI.
  • Sanitization: There is no mention of sanitization, filtering, or escaping of the external content before it is processed by the agent.
  • [COMMAND_EXECUTION]: The skill utilizes standard command-line tools including gh (GitHub CLI) and git to facilitate its core functions. These operations are scoped to the bytedance/deer-flow repository and are consistent with the skill's stated maintainer-automation purpose.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 30, 2026, 01:53 AM
Security Audit — agent-trust-hub — deerflow-maintainer-orchestrator