ah-resolve-pr-review
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell commands via bash blocks in SKILL.md and the subprocess module in scripts/fetch_pr_data.py. These commands are used for standard Git operations, interacting with the GitHub CLI (gh), and running project verification scripts (e.g., npm test, build) defined in the repository's package.json.
- [DATA_EXFILTRATION]: The skill performs network operations by interacting with the GitHub API via the gh tool to fetch metadata and post replies to pull request threads. These operations are consistent with the skill's stated purpose.
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it processes untrusted reviewer comments to drive code modifications.
- Ingestion points: External data enters the agent context through pull request comments and linked issue descriptions fetched in scripts/fetch_pr_data.py.
- Boundary markers: The instructions do not define explicit boundary markers or isolation for the ingested comment text.
- Capability inventory: The skill possesses the ability to modify the project's source code, execute arbitrary project-defined scripts, and communicate with the GitHub API.
- Sanitization: No automated sanitization or filtering of PR comments is performed. The primary mitigation is a mandatory human-in-the-loop approval step (Step 5d) where the user must review and approve the proposed fix plan before any implementation occurs.
Audit Metadata