gh-issue-to-demand-signal
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The README.md file contains installation instructions using
npx "@opendirectory.dev/skills". This command downloads and executes code from a third-party NPM scope that is not identified as a trusted organization or well-known service. - [COMMAND_EXECUTION]: The skill uses dynamic script generation via Python HEREDOCs (e.g., in Step 2 of SKILL.md). It interpolates user-provided repository URLs directly into a Python string literal:
raw = "REPO_INPUT_HERE". If the agent does not properly sanitize the user input, an attacker could provide a string that escapes the literal context (e.g., using quotes and semicolons) to execute arbitrary Python code. - [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection by ingesting and processing external data.
- Ingestion points: GitHub REST API (Step 3) fetches issue titles and bodies which are stored in
/tmp/ghd-raw-issues.jsonand subsequently processed in Steps 4, 5, and 6. - Capability inventory: The skill executes shell commands (
bash), runs Python scripts, and writes output to the local file system (docs/demand-signals/). - Boundary markers: There are no explicit delimiters or instructions provided to the AI to ignore instructions embedded within the fetched GitHub issue content.
- Sanitization: No evidence of sanitization or escaping of the issue content is present before it is interpolated into prompts for clustering and GTM messaging generation.
Audit Metadata