major-task
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is instructed to run repository-specific commands including installation scripts, build processes, and test suites. While necessary for its intended purpose as a development aid, this allows for the execution of potentially arbitrary code contained within a user-specified or cloned repository.
- [EXTERNAL_DOWNLOADS]: The skill fetches data from well-known services including GitHub and Linear. It also includes instructions to clone external repositories if a local copy is not available, which involves network operations and data retrieval based on user-provided inputs.
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it processes content from external sources like GitHub issues, pull request comments, and Linear tickets. An attacker could embed malicious instructions in these external documents to influence the agent's decision-making or execution steps.
- Ingestion points: Data is ingested from user-supplied task descriptions, GitHub issue/PR bodies, and Linear ticket attachments.
- Boundary markers: The skill uses
<task>tags to encapsulate user input, but it lacks robust delimiters or explicit instructions to ignore embedded commands within the data fetched from external trackers. - Capability inventory: The agent has access to file system operations (cloning, editing), network access (via GitHub/Linear tools), and shell execution (for builds and tests).
- Sanitization: There is no evidence of sanitization or filtering applied to the text retrieved from external APIs before it is processed by the agent.
Audit Metadata