openclaw-pr-maintainer

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill processes untrusted external data from GitHub issues and pull requests while possessing significant operational capabilities, creating a surface for indirect prompt injection.
  • Ingestion points: The skill instructions in SKILL.md direct the agent to read issue and PR titles, bodies, and comments via gh, gitcrawl, and gh search (see SKILL.md).
  • Boundary markers: While the skill includes proactive instructions to use shell heredocs (`-F
  • <<'EOF'`) for safety when posting comments, it lacks semantic boundaries or instructions to ensure the agent disregards potentially malicious instructions embedded within the ingested GitHub content.
  • Capability inventory: The agent is authorized to perform repository-level actions including labeling, closing, and landing PRs, as well as executing shell commands and git operations (push, rebase).
  • Sanitization: The skill employs shell-level sanitization for outgoing data; however, there is no explicit validation or semantic sanitization of the incoming untrusted content.
  • [COMMAND_EXECUTION]: The skill automates workflows by executing several command-line utilities and a bundled bash script.
  • Evidence: The skill utilizes gh, gitcrawl, and a local script located at scripts/github-activity.sh.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 04:22 PM
Security Audit — agent-trust-hub — openclaw-pr-maintainer