triage
Warn
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: In
SKILL.md, the bug reproduction process explicitly directs the agent to "run tests or commands" based on the "reporter's steps". This allows untrusted input from issue reports to trigger arbitrary shell commands, which can be exploited by an attacker to execute malicious code on the host system. - [PROMPT_INJECTION]: The skill processes untrusted data from external issue trackers (issue bodies, comments) as described in the "Triage a specific issue" section of
SKILL.md. This represents an indirect prompt injection surface where a reporter can embed instructions to manipulate agent behavior. - Ingestion points: Issue body and comments (
SKILL.md). - Boundary markers: No boundary markers or "ignore instructions" delimiters are defined for processing issue content.
- Capability inventory: The agent can execute shell commands, read/write files (such as in the
.out-of-scope/directory), and perform network operations against issue trackers. - Sanitization: No validation or sanitization of reporter-provided steps or issue content is mentioned before command execution or file modification.
Audit Metadata