handle-pr-comments
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill utilizes the GitHub CLI (
gh) and the official GraphQL API to manage pull request data and threads. These are standard interactions with a well-known service intended for development workflows. - [PROMPT_INJECTION]: The skill processes untrusted external data in the form of PR comments, which represents a surface for indirect prompt injection where an attacker could attempt to influence the agent's logic.
- Ingestion points: Pull request comments and review threads are fetched via GraphQL as described in
SKILL.md(Step 2). - Boundary markers: The instructions do not specify the use of delimiters or warnings to separate external comment text from the agent's internal logic.
- Capability inventory: The skill has the ability to read code, modify files, and perform git commits via the shell.
- Sanitization: There is no mention of sanitizing or filtering the content of the comments before processing.
- Mitigation: The impact is mitigated by a human-in-the-loop design. Every action (applying a fix, replying, or committing) is gated by an interactive prompt (
AskQuestion), ensuring the user reviews and authorizes all changes.
Audit Metadata