pr-research
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection because it ingests untrusted data from external repositories. 1. Ingestion points: Reads CONTRIBUTING.md, README.md, and GitHub CLI outputs (issue/PR data). 2. Boundary markers: Absent; no delimiters are used to separate external content from instructions. 3. Capability inventory: Employs Bash, Write, and Read tools. 4. Sanitization: Absent; external data is processed without filtering.
- COMMAND_EXECUTION (LOW): The skill interpolates repository names and search terms into Bash commands. While necessary for the skill's primary purpose, this presents a surface for command injection if inputs are not properly handled.
- DYNAMIC_EXECUTION (LOW): The validation script uses eval on static, hardcoded strings to verify the presence of system binaries, which is a low-risk pattern in this context.
Audit Metadata