refactor
Fail
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection. It ingests untrusted data from
gh pr diffandPR_TITLEand interpolates it directly into subagent prompts without any delimiters, boundary markers, or instructions to ignore embedded commands. Since this data is attacker-controlled, a malicious PR could include instructions designed to hijack the subagents. - [PROMPT_INJECTION]: Subagents are spawned using
mode: "bypassPermissions". This configuration removes platform-standard security constraints and safeguards, significantly increasing the risk if a subagent is compromised via prompt injection. - [COMMAND_EXECUTION]: The skill performs automated write-back to the codebase. In Step 6, it uses the
Edittool to apply code changes suggested by subagents and then executesgit commitandgit push. If an attacker successfully influences the subagent output via a malicious diff, they can achieve arbitrary code injection into the target repository. - [COMMAND_EXECUTION]: Potential shell command injection exists in Steps 7 and 8. The skill constructs
gh apicalls using variables (FORMATTED_COMMENT,SUMMARY_BODY) derived from subagent output. If the subagents are manipulated into producing output containing shell metacharacters (e.g., backticks or command substitutions), it could lead to arbitrary command execution on the runner. - [PROMPT_INJECTION]: Indirect Prompt Injection Analysis:
- Ingestion points: Untrusted data enters the context via
gh pr view(PR Title) andgh pr diff(Full Diff) inSKILL.md(Steps 1 and 2). - Boundary markers: Absent. The data is interpolated directly into templates (e.g.,
{FULL_DIFF}). - Capability inventory: The skill has
Editcapabilities andBashaccess to performgit commit,git push, andgh apicalls. - Sanitization: Absent. There is no evidence of escaping or validating the content extracted from the PR diff before it is used in prompts or shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata