deerflow-maintainer-orchestrator
Pass
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from GitHub issues and pull requests to generate automated responses.
- Ingestion points: Untrusted data enters the agent context through
gh issue view,gh pr view, andgh apicalls that fetch issue bodies, PR descriptions, and comments. - Boundary markers: The instructions lack explicit delimiters or instructions to the model to ignore potentially malicious embedded commands within the fetched artifact content.
- Capability inventory: The skill has the capability to perform repository operations, including fetching remote code and posting public comments or reviews via the
ghCLI. - Sanitization: There is no mention of sanitization, filtering, or escaping of the external content before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill utilizes standard command-line tools including
gh(GitHub CLI) andgitto facilitate its core functions. These operations are scoped to thebytedance/deer-flowrepository and are consistent with the skill's stated maintainer-automation purpose.
Audit Metadata