triage
Fail
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: In
SKILL.md(Step 3: Verify the claim), the agent is instructed to "check it out, run the relevant tests or commands" to verify a pull request. Because external pull requests are untrusted, this instruction allows for the execution of arbitrary code provided by an external contributor within the PR diff. - [COMMAND_EXECUTION]: The triage process explicitly defines a capability for the agent to execute shell commands to reproduce bugs and verify PRs. The lack of validation on the commands being run (especially from external PR sources) constitutes a high-risk behavior.
- [PROMPT_INJECTION]: The skill exhibits a significant surface for Indirect Prompt Injection as it is designed to ingest and act upon data from external, untrusted sources.
- Ingestion points: The agent reads the full body, comments, and metadata of GitHub issues and PRs (
SKILL.md). - Boundary markers: There are no boundary markers or instructions to ignore or isolate commands found within the ingested content.
- Capability inventory: The skill has access to shell execution (
SKILL.md, Step 3) and file-writing capabilities to update repository documentation (SKILL.md, Step 5). - Sanitization: There is no mechanism described for sanitizing or escaping external content before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata