Skills
skills/dolesshq/self-obsolescence/gh-pr-fix-once/Gen Agent Trust Hub

gh-pr-fix-once

Pass

Audited by Gen Agent Trust Hub on Apr 24, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: Indirect prompt injection via GitHub review comments. The skill processes external data from review thread bodies using scripts/pr_health.py and instructs the agent to treat them as actionable tasks. There are no boundary markers or sanitization steps to distinguish these potentially untrusted comments from legitimate instructions, which could lead to the agent performing unauthorized file modifications or command execution.
  • Ingestion points: scripts/pr_health.py (fetch_threads function).
  • Boundary markers: Absent.
  • Capability inventory: File writes, shell execution (test/lint/build), and git push operations.
  • Sanitization: Absent.
  • [COMMAND_EXECUTION]: The skill executes local shell commands. The scripts/pr_health.py helper script uses subprocess.run to call the GitHub CLI (gh). Additionally, the agent is directed to execute repository-specific test, lint, and build commands. While functional, these capabilities serve as the execution mechanism for any malicious instructions received via indirect prompt injection.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 24, 2026, 03:51 AM