looper-pr-takeover
Fail
Audited by Gen Agent Trust Hub on Jul 3, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references and directs users to download components from a repository not associated with a trusted vendor or well-known service.
- Evidence:
SKILL.mdprovides links tohttps://raw.githubusercontent.com/nexu-io/looper/main/mirrors/mirrors-looper/looper-pr-takeover/references/github-commands.mdand instructs users to install a daemon fromhttps://github.com/nexu-io/looper. - [REMOTE_CODE_EXECUTION]: The skill explicitly instructs the agent to fetch a remote Markdown file and treat its content as executable instructions, which constitutes remote code execution in an agentic workflow.
- Evidence: The 'One universal prompt' section contains the command:
read https://raw.githubusercontent.com/nexu-io/looper/main/mirrors/mirrors-looper/looper-pr-takeover/SKILL.md and follow it. - [COMMAND_EXECUTION]: The skill utilizes the GitHub CLI (
gh) andgitto perform sensitive operations on the repository, including modifying source code and merging branches. - Evidence: Use of
gh pr merge,gh api graphqlfor state mutations, andgit pushinSKILL.mdandreferences/github-commands.md. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from GitHub review comments and uses it to guide code modifications without validation or boundary enforcement.
- Ingestion points:
SKILL.mdusesgh api graphqlto fetch the body of unresolved review comments. - Capability inventory: The skill has permissions to modify code, commit, push, and merge PRs.
- Boundary markers: None. The skill lacks instructions for the agent to distinguish between legitimate code requests and malicious instructions embedded in comments.
- Sanitization: No sanitization of input data is performed before the agent acts on the instructions contained within pull request comments.
Recommendations
- AI detected serious security threats
Audit Metadata