github
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through GitHub PR review comments. It fetches these comments using
scripts/fetch-threads.shand instructs the agent to perform autonomous "auto-fixes" based on the content. - Ingestion points: External PR review comments fetched from the GitHub API and processed by the agent in the
pr-fixandpr-fix-parallelworkflows. - Boundary markers: Absent. The instructions do not specify any delimiters or warnings to treat the fetched comment data as untrusted or separate from the agent's instructions.
- Capability inventory: The agent has extensive capabilities to modify the local filesystem, commit changes, push to remote repositories, and merge pull requests using tools described in
SKILL.mdandreferences/pr-merge.md. - Sanitization: Absent. The skill provides no mechanism to sanitize or validate the instructions contained within PR comments before the agent acts on them.
- [COMMAND_EXECUTION]: The skill relies on shell scripts (
scripts/fetch-threads.sh,scripts/reply-thread.sh,scripts/resolve-thread.sh) that interact with theghCLI and the filesystem. While these scripts are integral to the skill's functionality, they involve shell variable interpolation for parameters such as repository identifiers and PR numbers, which depends on the agent providing correctly formatted inputs.
Audit Metadata