preen-deferred-fixes
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and acts upon untrusted data from GitHub issues and PR comments.
- Ingestion points: The skill reads the body of GitHub issues and PR comments using
./scripts/agents/tooling/agentTool.tsactions likegetIssueandfindDeferredWork(SKILL.md). - Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore or isolate potentially malicious commands embedded within the fetched PR comments.
- Capability inventory: The skill has significant capabilities, including executing local scripts (
agentTool.ts), running shell commands (pnpm), and performing code modifications via git (/commit-and-push,git push). - Sanitization: The analysis of the instructions reveals no sanitization or validation logic to filter out executable instructions found within the PR review data.
- [COMMAND_EXECUTION]: The skill executes local scripts and system tools to perform its tasks.
- Evidence: It invokes
./scripts/agents/tooling/agentTool.tsto interact with GitHub APIs. - Evidence: It executes
pnpm lint,pnpm typecheck, andpnpm testfor code validation. - Evidence: It uses git commands for version control operations. These commands are consistent with the skill's intended purpose of managing code fixes.
Audit Metadata