Skills
skills/marxbiotech/pr-review-toolkit/pr-review-resolver/Gen Agent Trust Hub

pr-review-resolver

Pass

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from external PR comments.\n
  • Ingestion points: Fetches PR comment content from GitHub using the cache-read-comment.sh script in SKILL.md (Step 1).\n
  • Boundary markers: The instructions do not specify the use of delimiters or 'ignore embedded instructions' warnings when passing comment content to background tasks (Step 3.4).\n
  • Capability inventory: The skill utilizes Task, Bash, Edit, and Write tools, enabling it to modify code and execute commands.\n
  • Sanitization: No explicit sanitization or validation of the external comment content is performed before interpolation into sub-task prompts.\n
  • Mitigation: The process is entirely interactive, requiring the user to decide on the fix and approve the action for each individual item, providing a robust human-in-the-loop check.\n- [COMMAND_EXECUTION]: The skill executes local shell scripts to manage the PR workflow and synchronize data with GitHub.\n
  • It calls environment-provided scripts like get-pr-number.sh, cache-read-comment.sh, and cache-write-comment.sh from the ${CLAUDE_PLUGIN_ROOT}/scripts/ directory.\n
  • It employs standard utilities such as jq for JSON manipulation and mktemp with trap for secure temporary file handling during metadata updates.
Audit Metadata
Risk Level
SAFE
Analyzed
May 11, 2026, 06:18 AM