openclaw-pr-maintainer
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data from GitHub issues and pull requests while possessing significant operational capabilities, creating a surface for indirect prompt injection.
- Ingestion points: The skill instructions in
SKILL.mddirect the agent to read issue and PR titles, bodies, and comments viagh,gitcrawl, andgh search(seeSKILL.md). - Boundary markers: While the skill includes proactive instructions to use shell heredocs (`-F
- <<'EOF'`) for safety when posting comments, it lacks semantic boundaries or instructions to ensure the agent disregards potentially malicious instructions embedded within the ingested GitHub content.
- Capability inventory: The agent is authorized to perform repository-level actions including labeling, closing, and landing PRs, as well as executing shell commands and git operations (push, rebase).
- Sanitization: The skill employs shell-level sanitization for outgoing data; however, there is no explicit validation or semantic sanitization of the incoming untrusted content.
- [COMMAND_EXECUTION]: The skill automates workflows by executing several command-line utilities and a bundled bash script.
- Evidence: The skill utilizes
gh,gitcrawl, and a local script located atscripts/github-activity.sh.
Audit Metadata