review
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted data from PR descriptions, commit messages, and source code diffs. This creates an attack surface for indirect prompt injection, where a malicious author could embed instructions in comments or metadata to trick the agent into performing unintended actions or applying harmful changes.\n- Ingestion points: PR bodies via
gh pr view, commit logs, and the code diff.\n- Boundary markers: None explicitly used to separate untrusted content from agent instructions.\n- Capability inventory: The agent usesBash,Edit, andWritetools, providing a path for injected instructions to modify the codebase.\n- Sanitization: No sanitization is performed on ingested data before it influences agent logic.\n- [COMMAND_EXECUTION]: The skill identifies and runs test suites and linters by executing commands detected in project files likepackage.jsonorMakefile. This constitutes execution of arbitrary code defined within the workspace.
Audit Metadata