triage
Fail
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to verify claims by executing commands from untrusted sources in
SKILL.md. Specifically, it tells the agent to "reproduce it [a bug] from the reporter's steps" and, for Pull Requests, to "run the relevant tests or commands." This allows an external attacker to execute arbitrary shell commands on the system hosting the agent by submitting a crafted issue or PR. - [REMOTE_CODE_EXECUTION]: The instruction to verify PRs by checking out the diff and running associated commands constitutes a remote code execution risk. Since the source of the code and the commands (external contributors) is untrusted, the agent may execute malicious payloads during the triage process.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes and acts upon untrusted data from an issue tracker.
- Ingestion points: In
SKILL.md(Step 1: Gather context), the agent reads the full body, comments, and author metadata of issues and PRs. - Boundary markers: There are no instructions to use delimiters or ignore embedded instructions within the ingested content, increasing the risk that malicious text in an issue could redirect the agent's behavior.
- Capability inventory: The agent has the ability to execute shell commands (
SKILL.md), write to the repository's filesystem (OUT-OF-SCOPE.md), and post comments or change labels via the tracker API. - Sanitization: The skill does not mention any sanitization, validation, or filtering of external content before it is processed or used to influence agent decisions.
Recommendations
- AI detected serious security threats
Audit Metadata