handle-pr-comments

Pass

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [SAFE]: The skill utilizes the GitHub CLI (gh) and the official GraphQL API to manage pull request data and threads. These are standard interactions with a well-known service intended for development workflows.
  • [PROMPT_INJECTION]: The skill processes untrusted external data in the form of PR comments, which represents a surface for indirect prompt injection where an attacker could attempt to influence the agent's logic.
  • Ingestion points: Pull request comments and review threads are fetched via GraphQL as described in SKILL.md (Step 2).
  • Boundary markers: The instructions do not specify the use of delimiters or warnings to separate external comment text from the agent's internal logic.
  • Capability inventory: The skill has the ability to read code, modify files, and perform git commits via the shell.
  • Sanitization: There is no mention of sanitizing or filtering the content of the comments before processing.
  • Mitigation: The impact is mitigated by a human-in-the-loop design. Every action (applying a fix, replying, or committing) is gated by an interactive prompt (AskQuestion), ensuring the user reviews and authorizes all changes.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 27, 2026, 12:30 PM
Security Audit — agent-trust-hub — handle-pr-comments