dev-issue
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted content from GitHub issues (
gh issue view) and incorporates it into a task brief (/tmp/issue<num>-task.md) for a spawned agent. This presents an indirect prompt injection surface where a malicious GitHub issue could attempt to override the instructions given to the secondary agent.\n - Ingestion points: GitHub issue title and body fetched via
gh issue viewinSKILL.md(Step 2).\n - Boundary markers: Absent; the issue body is summarized or embedded into a markdown template without explicit instruction isolation.\n
- Capability inventory: The skill can execute shell commands (
git,gh), write to the filesystem (/tmp/), and spawn new agents (synapse spawn).\n - Sanitization: No explicit sanitization or validation of the fetched issue content is performed before interpolation into the task brief.\n- [COMMAND_EXECUTION]: The skill instructs the agent to extract symbols and file paths from the untrusted issue body and use them directly in shell commands such as
git log --oneline -5 -- <file>. If the extracted symbols are not properly sanitized by the agent, this could potentially lead to command injection.
Audit Metadata