issue-create
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill features a 'Self-Evolving Skill' mechanism that explicitly directs the agent to 'fix this file immediately' (SKILL.md) if issues arise. This creates a severe vulnerability to indirect prompt injection; an attacker could provide data (e.g., in a repository or previous issue) that causes a failure and 'suggests' a malicious update that the agent then writes into its own permanent instructions.
- [COMMAND_EXECUTION]: The skill executes a custom TypeScript script via the
bunruntime (~/eon/cc-skills/plugins/gh-tools/scripts/issue-create.ts) and utilizes theBashtool to perform environment preflights, commit checks, and GitHub CLI operations. This gives the skill significant control over the local environment and git state. - [DATA_EXFILTRATION]: The skill's documentation describes using Playwright with a persistent browser profile located at
~/.claude/tools/pw-github-profile/. This profile contains sensitive session cookies and authentication tokens for GitHub. If the skill's logic or the user's input influences the browser automation flow, these credentials could be exposed or hijacked. - [PROMPT_INJECTION]: The skill processes arbitrary user-supplied issue content and interpolates it directly into AI prompts for classification and labeling (e.g.,
Content: {content}inai-prompts.md). It lacks boundary markers, delimiters, or sanitization instructions, making the classification process susceptible to indirect prompt injection from the issue body itself.
Audit Metadata