skills/arctuition/skills/pr-fix-loop/Gen Agent Trust Hub

pr-fix-loop

Warn

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill identifies and executes build or test scripts (e.g., from package.json, Makefile, or turbo) in the local environment to verify fixes before pushing. Because these scripts are sourced from the repository branch being fixed, they could be modified in a malicious PR to execute arbitrary commands on the agent's host environment.
  • Evidence: SKILL.md Step 5: "Detect the repo's commands (e.g. package.json scripts, Makefile, turbo/pnpm/nx) and run".
  • [REMOTE_CODE_EXECUTION]: The skill analyzes PR comments and CI logs to generate and apply code fixes ('auto-fix' bucket). This represents a vulnerability to Indirect Prompt Injection where malicious instructions in a comment could trick the agent into inserting backdoors or performing unauthorized code modifications.
  • Evidence: SKILL.md Step 1: "Scan finding sources — CI, bot findings... human inline comments" and Step 4: "Fix the auto-fix bucket".
  • Ingestion points: Untrusted data enters the agent context via GitHub PR comments (GraphQL reviewThreads, reviews, comments from references/gh-loop.md) and CI logs (gh run view).
  • Boundary markers: The instructions do not specify any delimiters or safety prompts to ignore embedded instructions within the ingested comment data.
  • Capability inventory: The skill has the capability to write to the local file system, commit and push code to the repository via git, and interact with the GitHub API (gh api).
  • Sanitization: There is no evidence of sanitization, escaping, or filtering of the external comment content before it is processed by the agent to determine code modifications.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 24, 2026, 10:55 AM
Security Audit — agent-trust-hub — pr-fix-loop