looper-pr-takeover

Fail

Audited by Gen Agent Trust Hub on Jul 3, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill references and directs users to download components from a repository not associated with a trusted vendor or well-known service.
  • Evidence: SKILL.md provides links to https://raw.githubusercontent.com/nexu-io/looper/main/mirrors/mirrors-looper/looper-pr-takeover/references/github-commands.md and instructs users to install a daemon from https://github.com/nexu-io/looper.
  • [REMOTE_CODE_EXECUTION]: The skill explicitly instructs the agent to fetch a remote Markdown file and treat its content as executable instructions, which constitutes remote code execution in an agentic workflow.
  • Evidence: The 'One universal prompt' section contains the command: read https://raw.githubusercontent.com/nexu-io/looper/main/mirrors/mirrors-looper/looper-pr-takeover/SKILL.md and follow it.
  • [COMMAND_EXECUTION]: The skill utilizes the GitHub CLI (gh) and git to perform sensitive operations on the repository, including modifying source code and merging branches.
  • Evidence: Use of gh pr merge, gh api graphql for state mutations, and git push in SKILL.md and references/github-commands.md.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from GitHub review comments and uses it to guide code modifications without validation or boundary enforcement.
  • Ingestion points: SKILL.md uses gh api graphql to fetch the body of unresolved review comments.
  • Capability inventory: The skill has permissions to modify code, commit, push, and merge PRs.
  • Boundary markers: None. The skill lacks instructions for the agent to distinguish between legitimate code requests and malicious instructions embedded in comments.
  • Sanitization: No sanitization of input data is performed before the agent acts on the instructions contained within pull request comments.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 3, 2026, 06:26 PM
Security Audit — agent-trust-hub — looper-pr-takeover