ops-triage
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from GitHub issues and repository files to make triage decisions and execute reproduction steps.
- Ingestion points: GitHub issue titles, bodies, and comments; codebase files; and files within the
.out-of-scope/directory. - Boundary markers: Absent. The instructions do not specify the use of delimiters or 'ignore' instructions for the processed content.
- Capability inventory: GitHub CLI (
gh) operations (labeling, commenting, closing issues), filesystem writes to the.out-of-scope/directory, and arbitrary command execution for bug reproduction. - Sanitization: Absent. There is no mention of escaping or validating the content retrieved from GitHub or the codebase before it is used to inform agent actions.
- [COMMAND_EXECUTION]: The 'Bug reproduction' workflow explicitly instructs the agent to 'execute commands' or 'run tests' to confirm reported issues. If an issue reporter provides malicious reproduction steps or if the codebase contains malicious test scripts, the agent may execute them as part of the triage process. While this is part of the skill's primary purpose, it presents a significant capability that can be abused by untrusted external inputs.
Audit Metadata