git
Pass
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides and executes a Python script (
scripts/pr-watch.py) which invokes thegh(GitHub CLI) tool usingsubprocess.runto poll Pull Request status and CI checks. - Evidence:
scripts/pr-watch.pyline 92 usessubprocess.run(["gh", *args], ...)with list-based arguments, which is a standard safety measure to prevent command injection. - [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection because it is designed to ingest and act upon external data from GitHub comments and reviews.
- Ingestion points:
scripts/pr-watch.pyfetches untrusted text from GitHub PR reviews and comments (lines 145, 156, and 166). - Boundary markers: The skill does not implement explicit delimiters or "ignore embedded instructions" warnings for this external content before it is processed by the agent.
- Capability inventory: The agent is instructed to "address BOTREVIEWs automatically" and respond to human feedback, providing a mechanism for external content to influence repository actions.
- Sanitization: No sanitization or escaping of the external text is performed before interpolation into the prompt context.
Audit Metadata