agent-loop-triage
Pass
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it retrieves and classifies untrusted data from GitHub issue bodies, PR descriptions, and comments. Malicious actors could embed instructions in these fields to influence the agent's classification logic or subsequent autonomous actions.
- Ingestion points: Untrusted data enters the agent context via
gh issue viewandgh pr viewcommands inSKILL.md(Detail Pass section). - Boundary markers: None; the skill does not use delimiters or instructions to ignore embedded commands within the fetched issue/PR content.
- Capability inventory: The agent has the ability to execute shell commands, including
git pull, which modifies the local repository state. - Sanitization: No sanitization or escaping of external content is performed before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill executes several shell commands to manage the repository and fetch data, including
git pull --ff-onlyto update the local worktree andgh apicalls to retrieve user metadata. While these are standard development workflows, they involve automated environment modification and network interaction with the GitHub API.
Audit Metadata