skills/kevmoo/kevmoo_skills/pr-loop/Gen Agent Trust Hub

pr-loop

Pass

Audited by Gen Agent Trust Hub on Jul 3, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it automatically ingests and processes data from external sources (GitHub PR comments and review threads). A malicious actor could post comments designed to trick the agent into implementing backdoors or unauthorized code changes during the autonomous remediation phase.
  • Ingestion points: Processes pull request comments and GraphQL-based review threads (SKILL.md).
  • Boundary markers: No clear delimiters or specific instructions are provided to the agent to distinguish between trustworthy instructions and untrusted data from comments.
  • Capability inventory: Includes high-impact capabilities such as 'git commit', 'git push' to remote repositories, and 'gh api' write operations (SKILL.md).
  • Sanitization: Mitigated somewhat by requirements for 'Empirical Skepticism' and mandatory verification using compilers and automated tests before committing changes.
  • [COMMAND_EXECUTION]: The skill executes multiple shell commands to manage the git lifecycle and GitHub PR status, including 'git commit', 'git push', 'gh pr create', and 'gh api'. It also executes local Dart scripts ('pr_status.dart' and 'triage.dart') to determine loop state and remediation steps.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 3, 2026, 08:37 AM
Security Audit — agent-trust-hub — pr-loop