task
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core function is to ingest and act upon untrusted data from external trackers (GitHub, Linear) and user-supplied arguments.
- Ingestion points: Untrusted content enters the agent context via
gh issue view,gh pr view, Linear issue fetches, and the$ARGUMENTSparameter inSKILL.md. - Boundary markers: The skill uses XML delimiters like
<task>and<video-transcript>to wrap external content, which helps distinguish it from system instructions but does not provide absolute protection against adversarial input. - Capability inventory: The skill possesses significant capabilities, including file system modification, branch creation, automated testing (
pnpm,bun), and network operations via the GitHub CLI (gh). - Sanitization: No explicit sanitization or filtering of the ingested tracker content is performed beyond the XML wrapping.
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill contains an absolute file path reference (
/Users/zbeyens/git/plate/...) which reveals the local system username and directory structure. While this constitutes minor information exposure, it is common in development-focused skills and does not pose a direct exfiltration risk.
Audit Metadata