fix-issue

Warn

Audited by Gen Agent Trust Hub on May 28, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It retrieves untrusted data from GitHub issues (titles, bodies, and comments) via the gh issue view command and propagates this content to multiple parallel agents with high-privilege capabilities.
  • Ingestion points: Data fetched via gh issue view and gh issue list in SKILL.md and scripts/similar-issue-finder.sh.
  • Boundary markers: The skill lacks explicit boundary markers or "ignore embedded instructions" warnings when passing external issue content to sub-agents.
  • Capability inventory: The agents are granted access to Bash, Write, Edit, CronCreate, and TaskCreate tools.
  • Sanitization: There is no evidence of filtering or sanitization of external content before it is interpolated into agent prompts.
  • Mitigation: Wrap all external data (issue bodies, comments) in clear delimiters (e.g., XML tags) and provide explicit instructions to sub-agents to treat such content strictly as data, not instructions.
  • [COMMAND_EXECUTION]: The skill is susceptible to shell command injection. User-supplied arguments and external metadata are interpolated directly into shell command strings without adequate sanitization.
  • Evidence: The skill uses $ARGUMENTS and $ISSUE_NUMBER directly in commands like gh issue view $ARGUMENTS in SKILL.md and within the scripts/similar-issue-finder.sh script logic.
  • Mitigation: Sanitize all user-provided input and external metadata before using them in shell commands, or preferably use specific API tools that handle argument separation safely.
  • [COMMAND_EXECUTION]: The skill implements a persistence mechanism using CronCreate. It schedules periodic tasks on the host system to monitor CI status for pull requests.
  • Evidence: The CronCreate tool is invoked in the "Post-Fix Monitoring" phase of the SKILL.md workflow.
  • Mitigation: Ensure users are notified when a background task is scheduled and provide clear instructions for auditing or deleting these tasks.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 28, 2026, 08:29 AM
Security Audit — agent-trust-hub — fix-issue