github-triage
Fail
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: In the Bug reproduction section of SKILL.md, the agent is instructed to execute commands to confirm reported behavior based on the reporter's instructions. Because these reports come from external users, an attacker can provide an issue body containing malicious shell commands which the agent may execute while attempting to reproduce the bug.
- [PROMPT_INJECTION]: The skill processes untrusted data from GitHub issue bodies and comments, creating a surface for indirect prompt injection. 1. Ingestion points: Issue data is read in SKILL.md during the context gathering phase. 2. Boundary markers: Absent; there are no instructions to treat issue content as data rather than instructions. 3. Capability inventory: The agent can use the GitHub CLI (gh) and execute arbitrary shell commands. 4. Sanitization: None; the skill does not validate or sanitize input from the issue report before using it to drive the triage process.
Recommendations
- AI detected serious security threats
Audit Metadata