pr-management
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes a vendor-specific CLI tool named
gh-managerto perform GitHub operations. These operations include listing, fetching, and modifying pull requests through commands likegh-manager prs list,get,diff,comments,label,request-review,merge, andclose. - [PROMPT_INJECTION]: The skill has an attack surface for Indirect Prompt Injection (Category 8) due to its core functionality of processing external data.
- Ingestion points: The agent ingests untrusted data from GitHub pull request titles, bodies, diffs, and comments via the
gh-managertool (SKILL.md). - Boundary markers: The skill instructions do not specify any boundary markers or instructions for the agent to ignore potentially malicious directions embedded within the PR content.
- Capability inventory: The agent has the authority to perform significant actions including merging pull requests, closing pull requests, and requesting reviews (
SKILL.md). - Sanitization: No sanitization or validation logic is defined to filter out or escape potentially malicious instructions found within the processed PR data. An attacker could craft a PR description or comment designed to influence the agent's triage or merge decisions.
Audit Metadata