Skills
skills/ymd38/dev-skills/gh-issue-resolver/Gen Agent Trust Hub

gh-issue-resolver

Pass

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by ingesting untrusted data from GitHub comments and using it as executable instructions.
  • Ingestion points: The agent fetches issue comments via the gh issue view command and identifies a plan using a specific HTML comment marker.
  • Boundary markers: The skill searches for <!-- gh-issue-planner:agreed-plan -->, but this marker is easily spoofable by any user with permission to comment on the repository. There are no instructions to sanitize or validate the content within this block.
  • Capability inventory: The skill has broad capabilities including file system modification, arbitrary shell command execution (Step 4: Test Verification), and authenticated repository interaction via the gh CLI (PR creation).
  • Sanitization: There is no sanitization or human-in-the-loop validation mentioned before the agent translates the extracted 'plan' into code changes and command execution.
  • [COMMAND_EXECUTION]: The skill instructs the agent to run tests and apply changes based on the untrusted plan. Since the 'Test Verification' step involves running shell commands, an attacker could embed malicious shell payloads within a comment that would be executed by the agent in the local environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 30, 2026, 07:53 AM