contributor
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes untrusted data from GitHub issue comments and repository files to determine its contribution strategy.
- Ingestion points: The skill retrieves issue body and comments using
gh issue viewand reads project files likeCONTRIBUTING.mdin SKILL.md. - Boundary markers: The instructions lack delimiters or warnings to ignore embedded instructions within the ingested text.
- Capability inventory: The skill has broad capabilities including shell command execution for tests (
pytest,npm,cargo,go) and file system/network operations viagitandgh. - Sanitization: No validation or sanitization is performed on the data fetched from GitHub before the agent interprets it for architectural guidance.
- [COMMAND_EXECUTION]: The skill executes various project-specific test and build commands (e.g.,
pytest,npm,cargo,go, andpre-commit). These commands involve executing code found within the repository, which presents a risk of local code execution if the repository provided by the user is malicious. - [EXTERNAL_DOWNLOADS]: The skill downloads external code by forking and cloning repositories from GitHub using the
ghCLI. While GitHub is a well-known service, the automated execution of the downloaded content (via tests and pre-commit hooks) remains a risk factor.
Audit Metadata