pr-comments
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill correctly identifies pull request comments as untrusted input and manages the risk of indirect prompt injection. Ingestion points: Comment content is fetched via the GitHub API in SKILL.md (Steps 2, 2b, and 2c). Boundary markers: The skill uses a mandatory screening step (Step 5) and a plan confirmation gate (Step 7) to separate input processing from execution. Capability inventory: The skill can modify the local filesystem, perform git commits and pushes, and interact with the GitHub API. Sanitization: Comprehensive rules in references/security.md are used to detect and decline malicious instructions, homoglyph attacks, and hidden content within comments.
- [COMMAND_EXECUTION]: The skill mitigates potential command injection from untrusted comment content by enforcing strict shell quoting safety and the use of temporary files for API payloads, as documented in references/reply-formats.md.
- [SAFE]: The static analysis warning for instruction overrides is a false positive; the suspicious phrases are contained in a safety reference file (references/security.md) as patterns to be detected and rejected by the skill's screening logic.
Audit Metadata