address-pr-feedback
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted PR comments which could contain malicious instructions designed to hijack the agent's behavior during the fix or verification phases.
- Ingestion points: PR comments and diffs are fetched in 'Step 1: Locate the PR' using 'gh' CLI and GitHub GraphQL API.
- Boundary markers: No explicit boundaries or instructions are provided to the agent to differentiate between the feedback data and system instructions.
- Capability inventory: The skill is capable of modifying files, running shell-based verification tests, and interacting with the GitHub API.
- Sanitization: The skill does not include any sanitization or validation of the fetched PR feedback before the agent acts on it.
- [COMMAND_EXECUTION]: The skill instructions suggest passing user-provided input from '$ARGUMENTS' directly into the 'gh' CLI, which creates a command injection vulnerability surface.
- Evidence: Step 1 describes using '$ARGUMENTS' with commands such as 'gh pr view', where a malicious user could provide input designed to break out of the command context and execute arbitrary shell commands.
Audit Metadata