renovate-merge

Fail

Audited by Gen Agent Trust Hub on Jul 7, 2026

Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill processes pull request titles and bodies that contain third-party changelogs and release notes, creating an indirect prompt injection surface.
  • Ingestion points: Untrusted data enters the agent context via gh pr view (SKILL.md, Step 0 and Step 2).
  • Boundary markers: The skill includes explicit instructions in Step 0 to treat all PR content as data and ignore any embedded instructions or payloads.
  • Capability inventory: The skill utilizes gh pr review --approve and gh pr merge to modify repository state (SKILL.md, Step 3).
  • Sanitization: The skill employs jq to isolate specific data fields and instructs the agent to perform manual reviews if content appears anomalous.
  • [EXTERNAL_DOWNLOADS]: The skill fetches package metadata from well-known technology services to verify release safety.
  • Evidence: Downloads crate information from the official Crates.io API and package metadata via npm view (SKILL.md, Step 2, Gate D). These are well-known services and the data is used for legitimate version-age verification.
  • [COMMAND_EXECUTION]: The skill uses local CLI tools to perform its primary function of repository maintenance.
  • Evidence: Executes gh, curl, npm, grep, and python3 to audit pull requests. These tools are used to verify cryptographic signatures, analyze diffs for malware patterns, and check CI status.
Recommendations
  • HIGH: Downloads and executes remote code from: https://crates.io/api/v1/crates/ - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 7, 2026, 12:54 AM
Security Audit — agent-trust-hub — renovate-merge