pr-pipeline
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
gitandgh(GitHub) CLI tools to automate repository operations, including staging, committing, pushing, and PR creation. It also executes several local Python scripts (classify-repo.py,learning-db.py,adr-status.py) to manage repository metadata and learning databases. - [COMMAND_EXECUTION]: Employs the
CLAUDE_GATE_BYPASS=1environment variable to explicitly bypass internal git submission hooks. While documented as a necessary step for the pipeline to function as the primary quality gate, this represents a deliberate circumvention of platform-level security policies. - [COMMAND_EXECUTION]: Phase 4c (Retro) implements a self-modifying workflow for specialized repositories. It automatically generalizes review findings and embeds them into agent instruction files (
agents/*.md) or skill files (SKILL.md). If the review process is influenced by malicious input (e.g., via indirect prompt injection in the code being reviewed), this could lead to the persistence of malicious instructions in the agent's configuration. - [PROMPT_INJECTION]: There is a surface for indirect prompt injection in Phase 5 during the generation of PR titles and bodies. These are derived from untrusted artifacts like
git diffoutput andtask_plan.md. The skill lacks explicit sanitization or strict boundary markers when interpolating this untrusted data into the metadata fields of the pull request. - [DATA_EXFILTRATION]: While the skill's primary function involves pushing code to remote remotes, it incorporates a proactive security gate in Phase 1 that specifically scans for and blocks common sensitive file patterns (e.g.,
.env,.pem,secrets.*) from being staged or committed, mitigating accidental credential exposure.
Audit Metadata