Skills
skills/sungjunlee/dev-backlog/backlog-triage/Gen Agent Trust Hub

backlog-triage

Pass

Audited by Gen Agent Trust Hub on Apr 20, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the way it processes external data.
  • Ingestion points: scripts/triage-collect.js fetches issue titles and bodies from GitHub repositories.
  • Boundary markers: The skill uses a two-phase process where Phase 1 generates a markdown report as an intermediate boundary before mutations occur in Phase 2.
  • Capability inventory: scripts/triage-apply.js contains capabilities to execute destructive GitHub commands (gh issue close, gh issue edit) and post comments using child_process.execFileSync.
  • Sanitization: While scripts/triage-report.js truncates titles and snippets using shortText, it does not sanitize the content to remove HTML comments (<!-- triage:... -->). An attacker could theoretically embed a malicious anchor in a GitHub issue that, if reflected into the report and accepted by the user/agent, would execute unintended mutations.
  • [COMMAND_EXECUTION]: The skill frequently executes external CLI tools to interact with the environment.
  • Evidence: scripts/triage-collect.js and scripts/triage-apply.js use execFileSync to run gh (GitHub CLI) and git commands.
  • Context: This behavior is aligned with the skill's primary purpose of backlog management. The implementation includes argument quoting in quoteShellArg to mitigate basic shell injection vulnerabilities.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 20, 2026, 04:10 AM