fix-issue
Warn
Audited by Gen Agent Trust Hub on May 28, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It retrieves untrusted data from GitHub issues (titles, bodies, and comments) via the
gh issue viewcommand and propagates this content to multiple parallel agents with high-privilege capabilities. - Ingestion points: Data fetched via
gh issue viewandgh issue listinSKILL.mdandscripts/similar-issue-finder.sh. - Boundary markers: The skill lacks explicit boundary markers or "ignore embedded instructions" warnings when passing external issue content to sub-agents.
- Capability inventory: The agents are granted access to
Bash,Write,Edit,CronCreate, andTaskCreatetools. - Sanitization: There is no evidence of filtering or sanitization of external content before it is interpolated into agent prompts.
- Mitigation: Wrap all external data (issue bodies, comments) in clear delimiters (e.g., XML tags) and provide explicit instructions to sub-agents to treat such content strictly as data, not instructions.
- [COMMAND_EXECUTION]: The skill is susceptible to shell command injection. User-supplied arguments and external metadata are interpolated directly into shell command strings without adequate sanitization.
- Evidence: The skill uses
$ARGUMENTSand$ISSUE_NUMBERdirectly in commands likegh issue view $ARGUMENTSinSKILL.mdand within thescripts/similar-issue-finder.shscript logic. - Mitigation: Sanitize all user-provided input and external metadata before using them in shell commands, or preferably use specific API tools that handle argument separation safely.
- [COMMAND_EXECUTION]: The skill implements a persistence mechanism using
CronCreate. It schedules periodic tasks on the host system to monitor CI status for pull requests. - Evidence: The
CronCreatetool is invoked in the "Post-Fix Monitoring" phase of theSKILL.mdworkflow. - Mitigation: Ensure users are notified when a background task is scheduled and provide clear instructions for auditing or deleting these tasks.
Audit Metadata