gh-issues
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) by processing untrusted data from external sources.
- Ingestion points: The orchestrator fetches issue titles, bodies, and review comments from external GitHub repositories using the GitHub REST API.
- Boundary markers: Untrusted content (e.g.,
{body},{json_array_of_actionable_comments}) is interpolated directly into the sub-agent prompts without delimiters (like XML tags) or explicit instructions to treat the content as data rather than instructions. - Capability inventory: Sub-agents have significant capabilities, including executing shell commands via
git(commit and push) and performing network operations usingcurlwith aGH_TOKENthat has repository write access. - Sanitization: No sanitization, escaping, or filtering is performed on the data fetched from GitHub before it is passed to the sub-agent's context.
- [CREDENTIALS_UNSAFE]: The skill accesses sensitive local files to retrieve authentication credentials.
- Evidence: The skill is instructed to read
GH_TOKENfrom sensitive paths including$HOME/.openclaw/openclaw.jsonand/data/.clawdbot/openclaw.json. While necessary for the skill's primary function, the method involves reading entire JSON configuration files which may expose other sensitive environment settings or API keys stored within the same file. - [COMMAND_EXECUTION]: The skill uses parallel sub-agents to execute complex command sequences derived from untrusted input.
- Evidence: Uses
sessions_spawnto launch agents that perform git operations (git checkout,git push) and API interactions (curl -X POST) based on the content of the processed GitHub issues, creating a path for attackers to influence command-line arguments via crafted issue descriptions.
Audit Metadata