finish-pr
Pass
Audited by Gen Agent Trust Hub on May 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and acting upon untrusted external data.
- Ingestion points: In
workflows/ready-for-merge.md, the skill fetches PR comments and review threads via GraphQL (Step 11) and inspects external check logs (Step 10). - Boundary markers: There are no boundary markers or instructions to treat data within comments or logs as untrusted or to ignore embedded instructions.
- Capability inventory: The agent can execute
git commit,git push, and arbitrary shell commands derived from local repository documentation. - Sanitization: No sanitization or validation is applied to the content of comments or logs before they are processed by the triage state machine.
- [COMMAND_EXECUTION]: The skill is instructed to run commands found in potentially untrusted local files.
- Evidence:
workflows/ready-for-merge.md(Step 3) directs the agent to "Verify locally using documented repository guidance. Prefer commands listed in AGENTS.md, README files, or package scripts." This allows instructions from a malicious repository or PR to trigger arbitrary command execution in the agent's shell environment.
Audit Metadata