triage
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's reproduction workflow instructs the agent to execute tests or shell commands derived from instructions provided by issue reporters in the project's tracker.
- Evidence: Found in SKILL.md under the reproduction section: "attempt reproduction: read the reporter's steps, trace the relevant code, run tests or commands."
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted external data (GitHub issue content) to drive logic and execution.
- Ingestion points: Untrusted data enters the agent context through issue bodies, comments, and reporter activity read from the issue tracker.
- Boundary markers: The skill does not implement delimiters or explicit "ignore embedded instructions" warnings when processing external issue content.
- Capability inventory: The agent has capabilities to execute system commands (for bug reproduction), write files (to the .out-of-scope/ directory), and post comments to GitHub.
- Sanitization: No sanitization or validation of reporter-provided reproduction steps is specified before the agent attempts execution.
Audit Metadata