bootstrap-checks-from-prs
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/collect_prs.pyutilizes thesubprocessmodule to execute the GitHub CLI (gh) for retrieving repository and pull request metadata. This is a core function of the skill and utilizes well-known, legitimate tooling. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by converting external pull request data into instructions for the agent.
- Ingestion points: The
scripts/collect_prs.pyscript fetches data from pull request bodies, review comments, and issue comments. - Boundary markers: The generated markdown files (produced by
scripts/generate_check_drafts.py) do not employ delimiters or specific system instructions to prevent the agent from following malicious commands embedded in the evidence or rationale sections. - Capability inventory: The skill uses
scripts/write_checks.pyto write files to the.agents/checks/directory. Agents that consume these generated checks generally possess capabilities to read/write files and execute shell commands. - Sanitization: Sanitization is limited to basic whitespace normalization and YAML quote escaping, which does not prevent an attacker from embedding natural language instructions that the agent might inadvertently follow.
Audit Metadata