stacked-prs
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/check-stack-status.tsand the examples inreferences/automation-patterns.mduseexecSyncto execute shell commands with unsanitized string interpolation for the--repoargument. This allows for potential command injection if a malicious repository name is provided to the script or used in the automation logic. - [PROMPT_INJECTION]: The skill documentation encourages the creation of an autonomous agent that reads and acts upon external pull request comments, which is a surface for Indirect Prompt Injection (Category 8).
- Ingestion points: Pull request comment bodies are fetched from the GitHub API in
references/automation-patterns.md(e.g., in thegetOpenCommentsandautoFixCallbackfunctions). - Boundary markers: None identified. The instructions do not define clear boundaries between system instructions and the content of external comments.
- Capability inventory: The documented patterns include high-impact capabilities such as command execution (
execSync), repository modification (git push), and automated thread interaction via the GitHub CLI. - Sanitization: No evidence of input sanitization or validation of the comment content before processing it to determine agent actions or applying code fixes.
Audit Metadata