fix-pr
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection risk due to ingestion of untrusted external data.
- Ingestion points: The skill fetches CI logs using
gh run view --log-failedand PR review comments usinggh api. Both sources are potentially attacker-controllable (e.g., a malicious contributor or a test that outputs a payload to logs). - Boundary markers: The 'Fixer Subagent Prompt' includes a dedicated 'Safety Boundary' section that explicitly instructs the agent to treat log and comment data as untrusted and to ignore any embedded commands or instructions to change its workflow.
- Capability inventory: The agent has the capability to read and modify the local filesystem, and to execute GitHub CLI commands, including GraphQL mutations and API requests to reply to comments.
- Sanitization: No programmatic sanitization is performed on the ingested data; the skill relies entirely on the LLM's adherence to the 'Safety Boundary' instructions.
- [COMMAND_EXECUTION]: Significant use of the GitHub CLI (
gh) for repository interaction. - The skill instructs the agent to inline variables (owner, repo, PR number) directly into shell commands (
gh api graphql) because of shell issues with standard variable interpolation symbols. While these variables are sourced from GitHub's own metadata, direct string interpolation in shell commands is a risky pattern that could lead to command injection if source variables were ever compromised or maliciously crafted.
Audit Metadata