git-workflow
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The 'PR Fix Comments Workflow' processes external, potentially untrusted data from GitHub PR comments and issue comments via commands like 'bun run gh-tool pr threads' and 'bun run gh-tool pr issue-comments-latest'. The skill instructs the agent to 'Make the code change' based on these suggestions, creating an indirect prompt injection surface. An attacker could post a malicious comment designed to trick the agent into injecting a backdoor or exfiltrating data during the automated 'Apply Fixes' step.
- Ingestion points: PR threads and issue comments fetched in Step 2 of the PR Fix Comments Workflow in SKILL.md.
- Boundary markers: No boundary markers or 'ignore embedded instructions' warnings are present to distinguish comments from safe instructions.
- Capability inventory: The skill possesses extensive capabilities including file system modification, 'git commit', 'git push', and arbitrary command execution via 'bun run check'.
- Sanitization: No sanitization or validation of the comment body is performed before the agent attempts to interpret and apply the code suggestions.
- [COMMAND_EXECUTION]: The skill generates shell commands by directly interpolating user-controlled variables into strings, such as 'git commit -m ""' and 'bun run gh-tool pr create --title "" --body ""'. This pattern is vulnerable to command injection if the strings are not properly escaped by the agent's tool execution environment.
Audit Metadata