pr-to-ready
Pass
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests and acts upon untrusted data from external PR hosts.
- Ingestion points: According to Step 2 of the workflow in
SKILL.md, the agent inspects PR titles, bodies, review submissions, and comments, all of which can be controlled by external actors. - Boundary markers: The skill does not define explicit delimiters or instructions to ignore potential commands embedded within the PR content.
- Capability inventory: The agent is empowered to modify files (Step 4) and execute shell commands for verification (Step 5), creating a risk that malicious instructions in a comment could be translated into harmful system actions.
- Sanitization: No sanitization, validation, or filtering of the PR content is mentioned in the instructions.
- [COMMAND_EXECUTION]: The skill executes shell commands as part of its primary workflow to verify that PR fixes are successful.
- Evidence: Workflow Step 5 in
SKILL.mdexplicitly directs the agent to 'Run the smallest verification that proves the fixes', which involves shell-based test execution and verification logic within the repository context.
Audit Metadata