Skills
skills/joaquimscosta/arkhe-claude-plugins/dependabot-review/Gen Agent Trust Hub

dependabot-review

Pass

Audited by Gen Agent Trust Hub on Apr 26, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests and parses pull request titles and bodies fetched via gh pr list and gh pr view. Because pull request content is provided by external entities, an attacker could include malicious instructions in a PR body designed to trick the agent into misclassifying a dangerous update as safe or into performing unauthorized merges.
  • Ingestion points: Pull request titles and bodies are ingested in SKILL.md (Step 1) and WORKFLOW.md (Phase 1) for classification.
  • Boundary markers: Absent. The skill does not instruct the agent to use delimiters or to ignore instructions embedded within the pull request content.
  • Capability inventory: The skill can execute GitHub actions including gh pr review --approve, gh pr merge, gh pr edit, and gh pr comment across various files in SKILL.md (Step 5).
  • Sanitization: Absent. There is no evidence of sanitization or strict validation of the markdown content retrieved from the PR body before the agent processes it.
  • [COMMAND_EXECUTION]: The skill frequently executes shell commands using the GitHub CLI (gh). While these are used for legitimate repository management (merging, listing PRs, viewing diffs), the execution flow depends on data parsed from pull requests. This represents a capability that could be abused if the agent's logic is subverted via prompt injection.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 26, 2026, 10:54 AM
Security Audit — agent-trust-hub — dependabot-review