lynx-repair
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It retrieves untrusted data from GitHub PR comments which could contain instructions designed to manipulate the agent's logic during the triage or repair phases. \n
- Ingestion points: Fetches PR review comments using 'gh pr view --comments' in the PERCH and LISTEN phases. \n
- Boundary markers: No explicit delimiters or instructions are used to distinguish between data and instructions in the comment content. \n
- Capability inventory: The skill can modify files, execute git commands, and run installation/build scripts. \n
- Sanitization: No sanitization or validation of the comment content is performed before it is processed or used in commit messages.\n- [COMMAND_EXECUTION]: Constructing 'git' and 'gh' commands using variables interpolated from external PR data (e.g., reviewer names and descriptions) presents a potential risk of command injection if the runtime environment does not provide sufficient isolation.\n- [EXTERNAL_DOWNLOADS]: The skill executes 'pnpm install' during the verification phase. While a standard development practice, this involves downloading and installing packages from external registries based on the project's configuration.
Audit Metadata