pr-triage
Warn
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Phase 4 (Worktree Setup) dynamically constructs shell commands using PR branch names and PR numbers fetched from GitHub. Maliciously crafted branch names containing shell metacharacters (e.g., backticks or semicolons) could potentially lead to arbitrary command execution when the agent runs the
git worktreeor directory creation commands. - [DATA_EXFILTRATION]: Phase 1 automatically copies the PR triage table to the system clipboard using platform-appropriate tools such as
pbcopy,xclip, orclip.exe. Since this table contains PR titles provided by external contributors, this could result in sensitive metadata being placed in the user's clipboard or potential clipboard hijacking without explicit consent. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing untrusted PR bodies and code diffs in Phase 2.
- Ingestion points: PR metadata and diffs enter the agent context via
gh pr viewandgh pr diffinSKILL.md. - Boundary markers: The sub-agent prompt uses bold headers to delimit external content but lacks robust escaping or explicit instructions to ignore embedded commands.
- Capability inventory: Impacted capabilities include
gh pr commentfor posting reviews andgitfor local repository operations. - Sanitization: PR content is interpolated directly into prompts without sanitization. The risk is primarily mitigated by a mandatory human review step in Phase 3 before any comments are posted back to GitHub.
Audit Metadata