github-issue-workflow
Pass
Audited by Gen Agent Trust Hub on May 28, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill includes extensive defensive measures against indirect prompt injection from GitHub issue content. It defines an "Isolation Pipeline" in SKILL.md and references/security-protocol.md that instructs the agent to treat issue bodies as untrusted data and requires user confirmation of requirements before proceeding to implementation. A heuristic detection for instruction override in references/security-protocol.md was identified as a false positive, as the text describes malicious examples for the agent to ignore rather than providing active instructions to bypass safety.\n- [DATA_EXFILTRATION]: The skill uses the GitHub CLI (gh) to fetch issue metadata and create pull requests. These operations are performed on official GitHub infrastructure and are consistent with the skill's primary purpose. No unauthorized exfiltration of sensitive data to external or untrusted domains was found.\n- [COMMAND_EXECUTION]: The skill executes standard development tools including git, gh, and project-specific test runners like npm, pytest, and mvn. These executions are gated by a mandatory user confirmation phase (Phase 4) and are required for the skill's functionality. The skill provides clear prerequisites and configuration checks in references/prerequisites.md.\n- [PROMPT_INJECTION]: The skill processes untrusted user-generated content from GitHub issues, which represents an indirect prompt injection surface.\n
- Ingestion points: Issue bodies and comments are fetched using the gh issue view command in SKILL.md (Phase 1).\n
- Boundary markers: The skill establishes clear boundaries by labeling issue text as DATA (not instructions) and enforcing an Isolation Pipeline.\n
- Capability inventory: The skill possesses the capability to write/edit files, execute shell commands (Bash), and spawn sub-agents (Task).\n
- Sanitization: Sanitization is handled through a mandatory human-in-the-loop gate; the agent is instructed to present the issue text to the user and only implement requirements that the user describes in their own words, preventing direct obedience to instructions embedded in the issue body.
Audit Metadata