github-pr-comments
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from GitHub PR comments, which could potentially contain malicious instructions intended to manipulate the agent. 1. Ingestion points: External data enters the context through PR comment bodies and diff hunks fetched by the scripts/pr-comments.sh script. 2. Boundary markers: The script output uses text-based delimiters like '-- code context --' and '-- comment --' to delineate fields, but the skill instructions lack explicit warnings for the agent to ignore embedded instructions in the fetched data. 3. Capability inventory: The skill empowers the agent to modify the filesystem and execute system commands like 'cargo check' and 'cargo nextest run' (documented in SKILL.md). 4. Sanitization: No sanitization or validation is applied to the fetched comment content before processing.
- [COMMAND_EXECUTION]: The skill involves the execution of local shell scripts and development tools such as the GitHub CLI (gh) and Rust's cargo manager to perform its tasks.
Audit Metadata