pr-to-ready

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests and acts upon untrusted data from external PR hosts.
  • Ingestion points: According to Step 2 of the workflow in SKILL.md, the agent inspects PR titles, bodies, review submissions, and comments, all of which can be controlled by external actors.
  • Boundary markers: The skill does not define explicit delimiters or instructions to ignore potential commands embedded within the PR content.
  • Capability inventory: The agent is empowered to modify files (Step 4) and execute shell commands for verification (Step 5), creating a risk that malicious instructions in a comment could be translated into harmful system actions.
  • Sanitization: No sanitization, validation, or filtering of the PR content is mentioned in the instructions.
  • [COMMAND_EXECUTION]: The skill executes shell commands as part of its primary workflow to verify that PR fixes are successful.
  • Evidence: Workflow Step 5 in SKILL.md explicitly directs the agent to 'Run the smallest verification that proves the fixes', which involves shell-based test execution and verification logic within the repository context.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 02:26 PM
Security Audit — agent-trust-hub — pr-to-ready