flow-next-resolve-pr
Warn
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Phase 6 of the workflow executes a command (PROJECT_TEST_CMD) that is dynamically retrieved from repository files such as AGENTS.md or CLAUDE.md. If an attacker compromises these files, they can achieve arbitrary command execution during the validation phase.\n
- Evidence: In workflow.md Phase 6, the skill reads the preferred command from project documentation and executes it:
PROJECT_TEST_CMD="(...)"followed by$PROJECT_TEST_CMD.\n- [PROMPT_INJECTION]: The skill ingests untrusted PR comments and review data from the GitHub API, creating a surface for Indirect Prompt Injection that could manipulate the sub-agents dispatched to resolve feedback.\n - Ingestion points: Untrusted feedback is fetched from the GitHub API via the
get-pr-commentsscript in workflow.md (Phase 1).\n - Boundary markers: The skill mentions quoting feedback (e.g., using
>-prefixed lines) but lacks formal or cryptographic delimiters to distinguish untrusted data from agent instructions.\n - Capability inventory: The skill possesses significant capabilities, including file modification, shell command execution (via PROJECT_TEST_CMD), and git operations (commit and push).\n
- Sanitization: The workflow includes a "Forbidden" instruction to ignore shell commands in comment bodies, but it lacks programmatic sanitization or validation of the ingested comment text before passing it to sub-agents.
Audit Metadata