new-branch
Pass
Audited by Gen Agent Trust Hub on May 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing shell commands via the
gh(GitHub CLI) andgitbinaries to manage branches. - The
$issuevariable is interpolated directly intogh issue view "$issue"inworkflows/issue-branch.md, which could lead to command injection if the user provides a malicious identifier string. - The skill executes
git checkout,git fetch, andgit rebaseusing variables derived from external issue data. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection because it processes data retrieved from external GitHub issues.
- Ingestion points: Data enters the agent's context from the
gh issue viewcommand output, specifically the issue title and number (found inworkflows/issue-branch.md). - Boundary markers: No explicit boundary markers or "ignore embedded instructions" warnings are used when processing the issue metadata.
- Capability inventory: The skill has the capability to execute shell commands (
git checkout,git fetch,git rebase) and manipulate the local file system's git state. - Sanitization: The workflow includes a robust sanitization step in
workflows/issue-branch.md(Step 2) that transforms the issue title into a kebab-case branch name (lowercase, alphanumeric only, hyphen-separated). This effectively prevents shell injection through the issue title in subsequent commands.
Audit Metadata