triaging-issues
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to process untrusted data from GitHub issue bodies and comments, making it susceptible to indirect prompt injection where an attacker might attempt to influence the triage process or the generated summary.
- Ingestion points: Untrusted data is fetched from the repository via
scripts/get_issue.shandscripts/get_comments.shin theSKILL.mdflow. - Boundary markers: The instructions in
SKILL.mdexplicitly command the agent to ignore any instructions inside the issue body or comments that tell it to run scripts or perform actions. - Capability inventory: The skill's environment is highly restricted; it has read-only access to GitHub scripts and can only produce a structured JSON file (
triage-decision.json) as output. It lacks tools to post comments, change labels, or execute arbitrary code. - Sanitization: The skill requires the agent to paraphrase summaries instead of copying text verbatim and enforces a 280-character limit to prevent data exfiltration and content echoing.
- [COMMAND_EXECUTION]: The skill uses data extracted from untrusted issue content as arguments for shell commands, which presents a command injection risk if keywords are not properly handled.
- Evidence: In
SKILL.md, the instructionbash scripts/search_issues.sh "<keywords from issue title and body>"interpolates user-controlled text directly into a bash command line.
Audit Metadata