triage
Warn
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in
SKILL.mddirect the agent to "run tests or commands" to reproduce bugs based on the reporter's provided steps. This allows untrusted input from an issue reporter to directly influence shell command execution, which could be exploited for remote code execution if the agent attempts to follow malicious reproduction instructions. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from issue bodies, comments, and prior triage notes to guide its logic in
SKILL.md. - Ingestion points: Reads full issue body, comments, and labels from the issue tracker as context for triage (SKILL.md).
- Boundary markers: None; the skill does not instruct the agent to use delimiters or ignore instructions within the processed data.
- Capability inventory: The agent can write comments to the issue tracker, modify labels, close issues, write files to the
.out-of-scope/directory, and execute commands for bug reproduction (SKILL.md). - Sanitization: There are no instructions for sanitizing or escaping the content retrieved from the issue tracker before it is incorporated into the agent's reasoning or output.
- [DATA_EXFILTRATION]: The agent gathers sensitive context by reading the codebase, Architecture Decision Records (ADRs), and internal rejection logs to recommend actions in
SKILL.md. While the primary output is to the issue tracker, a malicious actor could use indirect prompt injection to trick the agent into leaking internal codebase details or documentation within its public triage notes or comments.
Audit Metadata