agent-loop-triage

Pass

Audited by Gen Agent Trust Hub on Jun 25, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it retrieves and classifies untrusted data from GitHub issue bodies, PR descriptions, and comments. Malicious actors could embed instructions in these fields to influence the agent's classification logic or subsequent autonomous actions.
  • Ingestion points: Untrusted data enters the agent context via gh issue view and gh pr view commands in SKILL.md (Detail Pass section).
  • Boundary markers: None; the skill does not use delimiters or instructions to ignore embedded commands within the fetched issue/PR content.
  • Capability inventory: The agent has the ability to execute shell commands, including git pull, which modifies the local repository state.
  • Sanitization: No sanitization or escaping of external content is performed before it is processed by the agent.
  • [COMMAND_EXECUTION]: The skill executes several shell commands to manage the repository and fetch data, including git pull --ff-only to update the local worktree and gh api calls to retrieve user metadata. While these are standard development workflows, they involve automated environment modification and network interaction with the GitHub API.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 25, 2026, 04:44 PM
Security Audit — agent-trust-hub — agent-loop-triage