triage-issue
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted GitHub issues and comments, which constitutes an Indirect Prompt Injection surface. Although the workflow includes a mandatory security check using a regex-based detection script (
detect_prompt_injection.py) and explicit instructions to ignore embedded commands, sophisticated adversarial content could potentially bypass these filters to influence agent behavior. - Ingestion points: GitHub issue JSON and comments JSON fetched via
gh api(documented in SKILL.md Step 1). - Boundary markers: The skill includes a 'Security policy' section and explicit workflow instructions to treat issue content as untrusted data and ignore embedded instructions.
- Capability inventory: The agent can perform file system reads (
grep), repository searches (gh api), local file writes (Writetool), and authenticated network requests to the Linear API (post_linear_comment.py). - Sanitization: Employs
detect_prompt_injection.pyfor pattern matching and language detection, alongside instructions to strip shell metacharacters from search terms. - [COMMAND_EXECUTION]: The skill generates shell commands for code searching (
grep) and GitHub API queries using terms derived from issue titles and bodies. While the instructions mandate that the agent strip shell metacharacters, this mitigation relies on model compliance rather than programmatic enforcement. - [DATA_EXFILTRATION]: The script
post_linear_comment.pytransmits triage reports to the Linear API. While this is the intended primary purpose of the skill, a successful prompt injection could attempt to misuse the provided Linear credentials (LINEAR_CLIENT_ID,LINEAR_CLIENT_SECRET) or the authenticated channel to exfiltrate other sensitive repository information.
Audit Metadata