pr-merge-prep

Pass

Audited by Gen Agent Trust Hub on May 1, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and acting upon untrusted external data from Pull Request comments and diffs.
  • Ingestion points: In SKILL.md (Phase 3 and Phase 5), the skill reads PR review comments and the full current diff to triage issues and sync descriptions.
  • Boundary markers: There are no explicit delimiters or instructions to the agent to ignore potentially malicious directions embedded within the comments or diff content.
  • Capability inventory: The skill has significant capabilities including modifying project source code, executing shell commands (tests), and pushing commits to remote branches as described in SKILL.md (Phases 1-6).
  • Sanitization: The instructions do not specify any sanitization, escaping, or validation of the untrusted comment text before it is used to inform code fixes.
  • [COMMAND_EXECUTION]: The skill performs dynamic command execution by discovering and running test commands defined in project-level configuration files.
  • Evidence: SKILL.md (Phase 2 and Gotchas) instructs the agent to search for test commands in files such as CLAUDE.md, pyproject.toml, package.json, and Makefile.
  • Risk: Since the skill is designed to handle PRs autonomously, an attacker could submit a PR modifying these configuration files to include malicious shell commands. The skill would then execute these commands during the test verification phase of its maintenance cycle.
Audit Metadata
Risk Level
SAFE
Analyzed
May 1, 2026, 06:36 AM
Security Audit — agent-trust-hub — pr-merge-prep