renovate-merge
Fail
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes pull request titles and bodies that contain third-party changelogs and release notes, creating an indirect prompt injection surface.
- Ingestion points: Untrusted data enters the agent context via
gh pr view(SKILL.md, Step 0 and Step 2). - Boundary markers: The skill includes explicit instructions in Step 0 to treat all PR content as data and ignore any embedded instructions or payloads.
- Capability inventory: The skill utilizes
gh pr review --approveandgh pr mergeto modify repository state (SKILL.md, Step 3). - Sanitization: The skill employs
jqto isolate specific data fields and instructs the agent to perform manual reviews if content appears anomalous. - [EXTERNAL_DOWNLOADS]: The skill fetches package metadata from well-known technology services to verify release safety.
- Evidence: Downloads crate information from the official Crates.io API and package metadata via
npm view(SKILL.md, Step 2, Gate D). These are well-known services and the data is used for legitimate version-age verification. - [COMMAND_EXECUTION]: The skill uses local CLI tools to perform its primary function of repository maintenance.
- Evidence: Executes
gh,curl,npm,grep, andpython3to audit pull requests. These tools are used to verify cryptographic signatures, analyze diffs for malware patterns, and check CI status.
Recommendations
- HIGH: Downloads and executes remote code from: https://crates.io/api/v1/crates/ - DO NOT USE without thorough review
Audit Metadata