refactor

Fail

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection. It ingests untrusted data from gh pr diff and PR_TITLE and interpolates it directly into subagent prompts without any delimiters, boundary markers, or instructions to ignore embedded commands. Since this data is attacker-controlled, a malicious PR could include instructions designed to hijack the subagents.
  • [PROMPT_INJECTION]: Subagents are spawned using mode: "bypassPermissions". This configuration removes platform-standard security constraints and safeguards, significantly increasing the risk if a subagent is compromised via prompt injection.
  • [COMMAND_EXECUTION]: The skill performs automated write-back to the codebase. In Step 6, it uses the Edit tool to apply code changes suggested by subagents and then executes git commit and git push. If an attacker successfully influences the subagent output via a malicious diff, they can achieve arbitrary code injection into the target repository.
  • [COMMAND_EXECUTION]: Potential shell command injection exists in Steps 7 and 8. The skill constructs gh api calls using variables (FORMATTED_COMMENT, SUMMARY_BODY) derived from subagent output. If the subagents are manipulated into producing output containing shell metacharacters (e.g., backticks or command substitutions), it could lead to arbitrary command execution on the runner.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Analysis:
  • Ingestion points: Untrusted data enters the context via gh pr view (PR Title) and gh pr diff (Full Diff) in SKILL.md (Steps 1 and 2).
  • Boundary markers: Absent. The data is interpolated directly into templates (e.g., {FULL_DIFF}).
  • Capability inventory: The skill has Edit capabilities and Bash access to perform git commit, git push, and gh api calls.
  • Sanitization: Absent. There is no evidence of escaping or validating the content extracted from the PR diff before it is used in prompts or shell commands.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 21, 2026, 12:58 AM
Security Audit — agent-trust-hub — refactor