triage-issue
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection vulnerability. The skill ingests untrusted data from GitHub issue titles and bodies via the
gh issue viewcommand. This content is used to guide reproduction and fixing steps, which could be manipulated by an attacker to execute arbitrary commands or modify the codebase maliciously. - Ingestion points: GitHub issue content (title and body) retrieved in
SKILL.md. - Boundary markers: Absent; there are no delimiters or explicit instructions to ignore embedded commands within the ingested issue data.
- Capability inventory: The skill can perform file system modifications, execute
cargo testandcargo run, performgit push, and usegh pr createto submit changes. - Sanitization: No sanitization, escaping, or validation of the issue content is performed before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill executes
cargo testandcargo runon the local codebase. While this is the intended functionality for a triage tool, it creates a risk when the code being tested or executed has been modified based on untrusted external input from a GitHub issue. Additionally, the$ARGUMENTSvariable is used unquoted in shell commands (e.g.,gh issue view $ARGUMENTS), which could lead to command injection if the input is not strictly a numeric issue ID.
Audit Metadata