Skills
skills/bjesuiter/skills/github-pr/Gen Agent Trust Hub

github-pr

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • REMOTE_CODE_EXECUTION (MEDIUM): The test and merge commands in scripts/github-pr.py automatically execute package manager commands on code merged from untrusted remote Pull Requests.
  • Evidence: The test() function calls run([pm, "install"]) and run([pm, "run", "build"]) after performing a git merge of a remote PR head.
  • Risk: An attacker-controlled PR can include malicious postinstall scripts in package.json or malicious logic in the build process, leading to full system compromise when the user runs github-pr test or github-pr merge without --no-install.
  • Context: Severity is set to MEDIUM because this is the primary functionality of the tool, but users must be aware that they are executing untrusted code.
  • INDIRECT_PROMPT_INJECTION (LOW): The skill ingests untrusted metadata from GitHub PRs which is then displayed to the agent or user.
  • Ingestion points: get_pr_info in scripts/github-pr.py fetches title, author, and comments via the gh CLI.
  • Boundary markers: Absent. PR content is printed directly to the console in panels and tables.
  • Capability inventory: The script has the capability to execute shell commands via subprocess.run and modify the local filesystem via git and npm.
  • Sanitization: Absent. No filtering is performed on the PR title or metadata before display or processing.
  • COMMAND_EXECUTION (SAFE): The script uses subprocess.run with list arguments, which effectively prevents traditional shell injection via the repo or pr_number arguments.
  • Evidence: run(["gh", "pr", "view", ...]) and run(["git", "fetch", ...]) in scripts/github-pr.py.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:47 PM