Skills
skills/linuxlewis/agent-skills/pr-responder/Gen Agent Trust Hub

pr-responder

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • PROMPT_INJECTION (HIGH): Indirect Prompt Injection vulnerability surface detected. The skill's core purpose is to process external, attacker-controllable data from GitHub PR comments.
  • Ingestion points: GitHub API via gh api repos/{owner}/{repo}/pulls/{pr_number}/comments.
  • Boundary markers: Absent. There are no delimiters or instructions to treat comment text as untrusted data.
  • Capability inventory: The skill is granted Bash and Edit tools, allowing for arbitrary command execution and source code manipulation.
  • Sanitization: Absent. No filtering or escaping is performed on external content before it is processed by the agent.
  • COMMAND_EXECUTION (MEDIUM): The skill utilizes the Bash tool to perform operations. When combined with the processing of untrusted PR comments, this provides a direct path for an attacker to execute shell commands if the agent follows instructions embedded in a comment.
  • EXTERNAL_DOWNLOADS (LOW): Requires the GitHub CLI (gh) to be installed and authenticated. This is a dependency on a trusted external source (GitHub), but the requirement for a pre-authenticated session increases the impact if the skill is compromised.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 01:25 PM
Security Audit — agent-trust-hub — pr-responder