Skills
skills/leofalco/shared-skills/flux-publish/Gen Agent Trust Hub

flux-publish

Pass

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from GitHub PRs without sanitization.
  • Ingestion points: Untrusted data enters the agent context via gh pr view --json number,title,url,headRefName and gh pr view --json comments as described in SKILL.md.
  • Boundary markers: No specific delimiters or "ignore embedded instructions" warnings are used when interpolating PR data into the agent's logic or API payloads.
  • Capability inventory: The skill can execute Python scripts, perform GitHub CLI operations (like commenting), and use MCP tools to modify cards on the Flux platform.
  • Sanitization: No sanitization or validation logic is present to filter malicious instructions embedded in PR titles or comments before they are processed by the agent.
  • [COMMAND_EXECUTION]: The skill instructions rely on shell command interpolation which can be risky when handling user-controlled data.
  • Evidence: The pattern echo '<payload>' | python3 "$SCRIPT" create is used to pass JSON payloads to a local script.
  • Risk: If the agent fails to properly escape special characters (like single quotes) in PR titles used within the payload, it could lead to shell command injection during the execution of the command pipeline.
Audit Metadata
Risk Level
SAFE
Analyzed
May 11, 2026, 07:04 PM