skills/ninehills/skills/triage/Gen Agent Trust Hub

triage

Fail

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: In SKILL.md (Step 3: Verify the claim), the agent is instructed to "check it out, run the relevant tests or commands" to verify a pull request. Because external pull requests are untrusted, this instruction allows for the execution of arbitrary code provided by an external contributor within the PR diff.
  • [COMMAND_EXECUTION]: The triage process explicitly defines a capability for the agent to execute shell commands to reproduce bugs and verify PRs. The lack of validation on the commands being run (especially from external PR sources) constitutes a high-risk behavior.
  • [PROMPT_INJECTION]: The skill exhibits a significant surface for Indirect Prompt Injection as it is designed to ingest and act upon data from external, untrusted sources.
  • Ingestion points: The agent reads the full body, comments, and metadata of GitHub issues and PRs (SKILL.md).
  • Boundary markers: There are no boundary markers or instructions to ignore or isolate commands found within the ingested content.
  • Capability inventory: The skill has access to shell execution (SKILL.md, Step 3) and file-writing capabilities to update repository documentation (SKILL.md, Step 5).
  • Sanitization: There is no mechanism described for sanitizing or escaping external content before it is processed by the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 4, 2026, 04:21 PM
Security Audit — agent-trust-hub — triage