issue-triage
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted user-submitted content from GitHub issues (titles, bodies, comments). It contains explicit instructions to ignore any attempts to override agent behavior, reveal secrets, or change its role.
- [COMMAND_EXECUTION]: The skill uses the GitHub CLI (gh) to perform searches, view issue details, and potentially edit or close issues. Access is restricted to specific commands like 'gh search issues' and 'gh issue view' within the handler's contract.
- [REMOTE_CODE_EXECUTION]: The 'diagnose-and-validate' stage permits running package scripts (e.g., from package.json) or checked-in repository scripts for validation. While instructions mandate using only 'trusted repository files', this capability presents a surface for executing code residing in the triaged repository.
- [PROMPT_INJECTION]: Indirect prompt injection vulnerability surface is present due to the processing of external issue data. (1) Ingestion points: 'context.issue' and 'context.labels' provided to the handler (SKILL.md). (2) Boundary markers: The 'Global Rules' section explicitly designates issue content as 'untrusted user content'. (3) Capability inventory: Includes GitHub CLI operations (search, view, edit) and the execution of repository-level scripts or tests. (4) Sanitization: The skill instructs the agent to disregard instructions that attempt to alter its role or execute commands found in the issue body.
Audit Metadata