pr-learning
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as its primary function is to ingest untrusted data from PR comments and promote it into persistent agent instructions.
- Ingestion points:
scripts/collect_feedback.pyfetches PR review comments, thread transcripts, and commit messages which are controlled by external PR participants. - Boundary markers: The skill does not wrap extracted rules in protective delimiters or provide instructions to the agent to ignore nested commands when processing the codified rules.
- Capability inventory: The skill has capabilities to execute shell commands via the
ghCLI and perform file-write operations to both the project root and user home directory. - Sanitization: The scripts normalize whitespace and strip markdown for analysis but do not filter the content for adversarial prompt instructions before writing to configuration files.
- [COMMAND_EXECUTION]: The skill executes shell commands using the
gh(GitHub CLI) utility to fetch repository and PR metadata. - Evidence:
scripts/common.pycontains arun_commandwrapper aroundsubprocess.runthat executes theghbinary. - Mitigation: The implementation safely passes arguments as a list and does not use
shell=True, preventing direct shell injection via the CLI arguments.
Audit Metadata