plan-issue-tree
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its processing of untrusted data from the GitHub environment.\n
- Ingestion points: The skill reads existing issue titles and labels in Phase 1 of the workflow (SKILL.md) and fetches full issue details including bodies during the verification phase via scripts/read-tree.sh.\n
- Boundary markers: The skill lacks explicit markers or instructions that differentiate between trusted planning instructions and untrusted data fetched from the repository, creating a risk that the agent may follow instructions embedded in issue content.\n
- Capability inventory: The skill enables the agent to create new issues (gh issue create), create and assign labels (scripts/setup-labels.sh), and modify issue hierarchies using GraphQL mutations (scripts/link-sub-issue.sh).\n
- Sanitization: There is no evidence of sanitization or content validation for the data retrieved from the GitHub API before it is processed by the agent.\n
- Mitigation: Implement strict delimiters around external content and provide explicit system instructions for the agent to treat repository-sourced content strictly as data.
Audit Metadata