pr-ready
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill executes various local development commands (npm, npx, pytest, ruff, etc.) to perform code quality checks. These tools often execute local configuration files (like package.json scripts) which could contain malicious code if the project being checked is untrusted.
- [INDIRECT_PROMPT_INJECTION] (LOW): The script
scripts/check-deploy-ready.shcapturesgit diffoutput and presents it to the agent for analysis. Malicious instructions embedded in source code changes or comments could potentially influence agent behavior during the review process. - Ingestion points: Captured via
git diff HEADinscripts/check-deploy-ready.sh. - Boundary markers: Output is wrapped in markdown code blocks (
diff) inscripts/check-deploy-ready.sh. - Capability inventory: Subprocess execution via shell scripts (type checks, linting, tests).
- Sanitization: None; raw diff output is provided to the agent context.
Audit Metadata