Research

Name: IssueBoss/research
Author: szinn

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill is vulnerable to prompt injection, allowing a sub-agent

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Research: You are using the `research` skill to investigate a free-form topic and present findings inline. No IssueBoss issue is required — this skill works for any ad-hoc query.

Actually does

The skill first determines the current VCS context (Jujutsu or Git commit IDs). It then dispatches a `issueboss:research-topic-processor` via an Agent tool with the topic, tags, VCS context, and project root. After receiving and parsing the processor's structured output, it presents the findings inline to the user and offers to save them as a Markdown file in `.insights/shared/research/` using a Write tool.

Threat Analysis

AI Agent Traps ↗Scanned 4/16/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction4 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseer1 finding

Skill Info

Nameszinn/IssueBoss/research

Registrygithub

Versionf0c3a8741030

PURLpkg:github/szinn/IssueBoss@f0c3a8741030?skill=research

Source

Repository ↗SKILL.md ↗

SHA-256f43fed772446...

SHA-171ac70d9de6b...

MD5f318924c9385...

TLSH62a1b736bd80...

ssdeep96:0ur/QgEvW...

Size4,631 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/szinn/IssueBoss

Claude CodeDocs

/plugin marketplace add szinn/IssueBoss

/plugin install research@szinn/IssueBoss

claude-marketplace

https://github.com/szinn/IssueBoss

Skills.shDocs

npx skills add https://github.com/szinn/IssueBoss

Assessments (3)

AI Agent Traps ↗

Sub-agent Spawning with Prompt Injection Vulnerabilitycriticalsub agent spawning, prompt injection

The skill dispatches a sub-agent (`issueboss:research-topic-processor`) using a prompt that includes user-controlled inputs (`topic`, `tags`) and sensitive system context (`project_root`, `change_id`, `commit`). This creates a significant prompt injection vulnerability against the sub-agent, potentially allowing an attacker to control its behavior, exfiltrate data, or perform unauthorized actions.

100% confidenceline 48

Dispatch `issueboss:research-topic-processor` via the Agent tool with this exact prompt format: ... topic_description: {topic} topic_tags: {tags as JSON array, or [] if none} change_id: {change_id} commit: {commit} project_root: {absolute path to project root}

Arbitrary File Write via Compromised Sub-agenthighpersistence, impact

The skill uses a 'Write tool' to save the `findings body` (generated by the sub-agent) to a `.md` file. If the `research-topic-processor` is compromised via prompt injection, it could generate malicious content (e.g., scripts, misleading instructions) that is then written to the file system, potentially leading to persistence or further system compromise. The 'Write tool' also creates parent directories automatically, indicating broad write permissions.

100% confidenceline 88

Write the file to .insights/shared/research/{kebab-summary}.md using the Write tool. ... File content format: ... {findings body exactly as returned by the processor}

Exposure of Sensitive VCS Context to Sub-agentmediumdata exfiltration

The skill extracts VCS context (`change_id`, `commit`, `project_root`) and passes it to the `research-topic-processor`. If the sub-agent is compromised, this sensitive information could be exfiltrated or misused.

90% confidenceline 53

change_id: {change_id} commit: {commit} project_root: {absolute path to project root}

Direct Command Execution Capabilitylowcommand execution

The skill directly executes shell commands (`jj log`, `git rev-parse HEAD`) to resolve VCS context. While the commands themselves are hardcoded and appear benign, this demonstrates the agent's capability to execute arbitrary commands, which could be exploited if the command arguments were user-controlled.

80% confidenceline 30

jj log -r @ --no-graph -T 'change_id ++ " " ++ commit_id'` and `git rev-parse HEAD

Potential RAG/Knowledge Base Poisoningmediumrag poisoning

The skill saves the `findings body` (generated by the sub-agent) to a `.md` file in a shared `.insights/shared/research/` directory. If the sub-agent is compromised and generates misleading or malicious content, this could poison the knowledge base used by other agents or humans.

90% confidenceline 88

Saved to `.insights/shared/research/{kebab-summary}.md` and `File content format: ... {findings body exactly as returned by the processor}`

Human Social Engineering via Displayed Outputmediumhuman social engineering

The `findings body` returned by the `research-topic-processor` is displayed 'as-is' to the user. If the sub-agent is compromised, it could generate malicious content (e.g., phishing links, deceptive instructions) that could socially engineer the human user.

90% confidenceline 68

Present findings inline — display the full findings body to the user as-is.

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/szinn/IssueBoss/research.svg)](https://mondoo.com/ai-agent-security/skills/github/szinn/IssueBoss/research)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/szinn/IssueBoss/research"><img src="https://mondoo.com/ai-agent-security/api/badge/github/szinn/IssueBoss/research.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/szinn/IssueBoss/research.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow