gh-issues
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXPOSURE]: The skill accesses sensitive local configuration files at
~/.openclaw/openclaw.jsonand/data/.clawdbot/openclaw.jsonto retrieve theGH_TOKENfor GitHub authentication. - [COMMAND_EXECUTION]: The instructions use
node -eto execute inline JavaScript for parsing JSON data from configuration files at runtime. - [DATA_EXFILTRATION]: The skill includes a
--notify-channelparameter that allows sending information about pull requests to an external Telegram channel based on a user-provided ID. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted data from GitHub issue titles, bodies, and pull request comments. This content is passed to sub-agents with shell execution and repository write capabilities.
- Ingestion points: Fetches issue metadata in Phase 2 and review comments/PR bodies in Phase 6.
- Boundary markers: The sub-agent prompt uses
<issue>and<review_comments>XML-style tags to delimit untrusted data. - Capability inventory: Sub-agents can execute arbitrary shell commands (
git,curl,grep), modify the local filesystem, push code to remote repositories, and open pull requests. - Sanitization: No explicit sanitization or filtering is performed on the untrusted data before it is interpolated into the sub-agent prompt.
Audit Metadata