pr-merge-prep
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and acting upon untrusted external data from Pull Request comments and diffs.
- Ingestion points: In
SKILL.md(Phase 3 and Phase 5), the skill reads PR review comments and the full current diff to triage issues and sync descriptions. - Boundary markers: There are no explicit delimiters or instructions to the agent to ignore potentially malicious directions embedded within the comments or diff content.
- Capability inventory: The skill has significant capabilities including modifying project source code, executing shell commands (tests), and pushing commits to remote branches as described in
SKILL.md(Phases 1-6). - Sanitization: The instructions do not specify any sanitization, escaping, or validation of the untrusted comment text before it is used to inform code fixes.
- [COMMAND_EXECUTION]: The skill performs dynamic command execution by discovering and running test commands defined in project-level configuration files.
- Evidence:
SKILL.md(Phase 2 and Gotchas) instructs the agent to search for test commands in files such asCLAUDE.md,pyproject.toml,package.json, andMakefile. - Risk: Since the skill is designed to handle PRs autonomously, an attacker could submit a PR modifying these configuration files to include malicious shell commands. The skill would then execute these commands during the test verification phase of its maintenance cycle.
Audit Metadata