gh-fix-ci
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): Indirect Prompt Injection vulnerability (Category 8). The skill ingests data from external GitHub sources to influence its decision-making and implementation logic.
- Ingestion points: Reviewer comments, PR descriptions, review thread bodies, and CI failure log snippets obtained via the GitHub CLI.
- Boundary markers: No specific delimiters or safety instructions are mentioned to prevent the model from following commands found within the ingested PR data.
- Capability inventory: The skill can execute local scripts, interact with the
ghCLI to write comments and resolve threads, and use a secondaryplanskill to generate and apply code changes. - Sanitization: There is no evidence of sanitization or instruction-filtering performed on the text retrieved from GitHub.
- COMMAND_EXECUTION (SAFE): The skill utilizes a bundled script (
inspect_pr_checks.py) and theghCLI. While these allow for broad repository access and modification, they are necessary for the skill's stated purpose of PR remediation. The use of high-privilege scopes (workflow) is documented but increases the risk of the indirect injection surface.
Audit Metadata