implement-issue
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted input from GitHub issues and comments (
gh issue view), creating a surface for indirect prompt injection attacks where an attacker could embed malicious instructions in an issue. - Ingestion points: Untrusted data enters the agent context via
gh issue view(body and comments) as described inSKILL.mdandreferences/workflow.md. - Boundary markers: The skill does not implement explicit boundary markers or instructions for agents to ignore embedded commands within the fetched issue data.
- Capability inventory: The skill possesses extensive capabilities, including shell command execution (
gh,git,npm,pytest, etc.) and the ability to delegate tasks to theteam-executorskill. - Sanitization: There is no evidence of sanitization, escaping, or validation of the external content fetched from GitHub before it is interpolated into prompts or used for planning.
- [COMMAND_EXECUTION]: The skill frequently executes shell commands to interact with the environment, including GitHub CLI (
gh) for managing issues and pull requests, andgitfor repository operations. It also executes project-specific build, test, and lint commands (e.g.,npm test,make test,pytest) which vary based on the repository it is operating on. - [EXTERNAL_DOWNLOADS]: The skill checks for the presence of the
team-executordependency and, if missing, prompts the user to install it from the vendor's repository usingnpx skills add thatjuan/agent-skills --skill team-executor. - [DATA_EXFILTRATION]: The skill accesses the local file system to check for existing skills in paths like
~/.claude/skills/. It also performs network operations to fetch data from GitHub and post comments or create pull requests, which involves moving data from the local environment to an external service.
Audit Metadata