pr-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to indirect prompt injection. 1. Ingestion points:
agents/pr-manager.md(git diffs, commit messages),agents/test-runner.md(test output),agents/code-reviewer.md(source code). 2. Boundary markers: Absent. The subagents do not use delimiters to isolate untrusted content from system instructions. 3. Capability inventory:agents/test-runner.mdexecutes local shell scripts (./test.sh) andagents/pr-manager.md/agents/test-runner.mdcan modify repository files. 4. Sanitization: Absent. There is no evidence of filtering or escaping external content before processing. - [COMMAND_EXECUTION] (MEDIUM): Subagents perform command execution on local scripts. Evidence:
agents/test-runner.mdexecutes commands likecd backend && ./test.sh. This provides an attack vector if an indirect injection influences the script content or the execution parameters.
Recommendations
- AI detected serious security threats
Audit Metadata