pr-fix-loop
Warn
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill identifies and executes build or test scripts (e.g., from
package.json,Makefile, orturbo) in the local environment to verify fixes before pushing. Because these scripts are sourced from the repository branch being fixed, they could be modified in a malicious PR to execute arbitrary commands on the agent's host environment. - Evidence:
SKILL.mdStep 5: "Detect the repo's commands (e.g. package.json scripts, Makefile, turbo/pnpm/nx) and run". - [REMOTE_CODE_EXECUTION]: The skill analyzes PR comments and CI logs to generate and apply code fixes ('auto-fix' bucket). This represents a vulnerability to Indirect Prompt Injection where malicious instructions in a comment could trick the agent into inserting backdoors or performing unauthorized code modifications.
- Evidence:
SKILL.mdStep 1: "Scan finding sources — CI, bot findings... human inline comments" and Step 4: "Fix the auto-fix bucket". - Ingestion points: Untrusted data enters the agent context via GitHub PR comments (GraphQL
reviewThreads,reviews,commentsfromreferences/gh-loop.md) and CI logs (gh run view). - Boundary markers: The instructions do not specify any delimiters or safety prompts to ignore embedded instructions within the ingested comment data.
- Capability inventory: The skill has the capability to write to the local file system, commit and push code to the repository via
git, and interact with the GitHub API (gh api). - Sanitization: There is no evidence of sanitization, escaping, or filtering of the external comment content before it is processed by the agent to determine code modifications.
Audit Metadata