clawhub-pr-maintainer

Pass

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads untrusted data from GitHub pull request and issue content (titles, bodies, and comments) using gh pr view and gh issue view. An attacker could include malicious instructions in a PR description to manipulate the agent's behavior.
  • Ingestion points: GitHub CLI commands gh pr view, gh issue view, and gh api (fetching user comments and PR descriptions).
  • Boundary markers: Absent; no instructions are provided to the agent to ignore or delimit embedded instructions in the fetched data.
  • Capability inventory: GitHub CLI for commenting, labeling, and closing; execution of local scripts via bun run; and the ability to write and run Playwright test scenarios.
  • Sanitization: Absent; the skill does not specify any validation or sanitization of the data retrieved from GitHub.
  • [COMMAND_EXECUTION]: The skill uses the GitHub CLI and bun to execute local scripts and manage repository states. These capabilities are intended for maintainer workflows but provide a significant impact surface if the agent is influenced by malicious input.
  • [COMMAND_EXECUTION]: The instructions require the agent to dynamically generate and store Playwright test scenarios in the .artifacts/proof-scenarios/ directory. This dynamic code generation is used for creating visual proof artifacts.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 10, 2026, 03:30 PM
Security Audit — agent-trust-hub — clawhub-pr-maintainer