multi-agent-pr
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection by design. It fetches external content from GitHub PR comments and instructs the agent to process and act upon it without safety boundaries. * Ingestion points:
scripts/check-pr-feedback.shretrieves comment bodies via the GitHub API. * Boundary markers: None. The agent receives the raw content of comments mixed with its own operational instructions. * Capability inventory: The skill allows for repository modification (git commit) and code publication (git push), as well as responding to comments viascripts/reply-to-inline.sh. * Sanitization: None. There is no mechanism to filter or validate the instructions contained within PR comments. - [COMMAND_EXECUTION] (LOW): The skill executes local shell scripts and interacts with the GitHub CLI (
gh). This is the intended functionality but involves executing commands based on user or agent-provided parameters such as PR numbers and comment IDs.
Recommendations
- AI detected serious security threats
Audit Metadata