ah-resolve-pr-review
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs various shell operations using
gitandgh(GitHub CLI) to manage branch state, fetch repository data, and post replies to PR threads. These actions are necessary for the skill's stated purpose and use standard CLI patterns.\n- [PROMPT_INJECTION]: The skill ingests and processes untrusted data from GitHub pull request comments and linked issues, which creates a surface for indirect prompt injection.\n - Ingestion points: Review threads and conversation comments are fetched from the GitHub API using
scripts/fetch_pr_data.py.\n - Boundary markers: The skill does not explicitly use delimiters or boundary markers to isolate untrusted PR content from the agent's instructions.\n
- Capability inventory: The agent has the authority to modify the local filesystem, execute shell commands, and run verification scripts (e.g.,
npm test,npm build) defined in the project's configuration.\n - Sanitization: No sanitization or filtering is applied to the PR comments before they are analyzed by the LLM.\n
- Mitigation: The risk is significantly mitigated by a mandatory human-in-the-loop checkpoint (Step 5 in SKILL.md), where the agent must present a formatted "Fix Plan" for user approval before implementation.
Audit Metadata