drive-pr
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes PR comments from external sources (reviewers and bots) and treats them as actionable instructions. An attacker could embed malicious instructions within a comment to manipulate the agent's behavior.
- Ingestion points: Pull request comments (CodeRabbit and other reviewers).
- Boundary markers: Absent. The instructions do not provide delimiters or warnings to ignore embedded instructions within comments.
- Capability inventory: Local shell command execution (CI jobs), file system modification, and network operations (git push).
- Sanitization: Absent. The agent is directed to 'address' and 'fix' issues based directly on comment content.
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands locally to reproduce and fix CI failures, such as unit tests, linting, and type-checking. While this is the intended purpose of the skill, it represents a capability that can be misused if the agent is influenced by malicious input.
Audit Metadata