Skills
skills/openhands/extensions/iterate/Gen Agent Trust Hub

iterate

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill makes extensive use of the gh CLI and git to automate PR management.
  • Evidence includes commands for creating PRs, checking CI status (gh pr checks), rerunning failed jobs (gh run rerun), and managing review threads via GraphQL and REST APIs.
  • [PROMPT_INJECTION]: The instructions include directives for the agent to operate with a high degree of autonomy.
  • The skill explicitly instructs the agent: "Do not stop to ask the user whether to continue polling; continue autonomously until a strict stop condition is met or the user interrupts."
  • [PROMPT_INJECTION]: The skill processes untrusted data from external sources (PR comments and CI logs) which could be used as an indirect prompt injection vector.
  • Ingestion points: PR reviews, inline comments, and QA reports are fetched via gh pr view and gh api calls (documented in SKILL.md Steps 3 and 4).
  • Boundary markers: No explicit delimiters or instruction-isolation warnings are present when the agent processes this external content.
  • Capability inventory: The agent has the ability to perform file writes, git commits/pushes, and execute shell commands to "fix code" based on the ingested data.
  • Sanitization: There is no mention of sanitizing or validating the content of the comments before the agent acts upon them.
  • Mitigation: The skill includes logic to filter reviews only from trusted sources (OWNER, MEMBER, COLLABORATOR) or recognized bot accounts (openhands, all-hands-bot), significantly reducing the attack surface.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 01:58 PM
Security Audit — agent-trust-hub — iterate