triage
Warn
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill directs the agent to run tests or commands to reproduce bugs based on steps provided by the issue reporter in SKILL.md. This behavior allows untrusted external input to directly influence shell or test execution within the agent's environment.
- [PROMPT_INJECTION]: The triage workflow is vulnerable to indirect prompt injection because it processes untrusted data from GitHub issues and comments without isolation.
- Ingestion points: The agent ingests untrusted text from GitHub issue bodies, comments, and labels (SKILL.md).
- Boundary markers: The instructions lack explicit delimiters or safety markers to isolate ingested content from the agent's core instructions.
- Capability inventory: The agent can query external APIs (GitHub), read and write to the file system, and execute arbitrary commands for bug reproduction (SKILL.md).
- Sanitization: No sanitization, validation, or escaping of the external input is performed before the agent processes it.
Audit Metadata