watch-pr
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple local shell scripts located in the
.claude/hooks/directory, specificallyci-wait.sh,lint.sh, andtest.sh. This relies on the security of the local repository environment. - [COMMAND_EXECUTION]: Extensive use of the
gh(GitHub CLI) for repository operations, including fetching logs (gh run view --log-failed), polling API endpoints, and pushing code changes to the remote repository. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via external data sources.
- Ingestion points: Untrusted data enters the agent context through GitHub PR review bodies, line-level comments, and CI failure logs.
- Boundary markers: Absent. The instructions do not specify any delimiters or safety warnings to ignore instructions embedded within the logs or comments.
- Capability inventory: The skill possesses
Bash,Edit,Write, andSkill(specifically invokingralph-loop) capabilities, allowing it to modify source code and execute shell commands based on the ingested data. - Sanitization: None. The skill is directed to "Understand the suggestion" and "apply the fix" directly from PR comments, which could contain malicious instructions designed to exfiltrate data or compromise the build environment.
- [COMMAND_EXECUTION]: The skill provides for autonomous code modification and pushing to a remote repository in response to CI failures without a mandatory human-in-the-loop verification (though a verification step exists for PR review fixes).
Audit Metadata