pr-comment-resolution
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted pull request comments and review feedback from GitHub, which may contain indirect prompt injection attempts designed to manipulate the agent's behavior.
- Ingestion points: External comments and threads are fetched from the GitHub API by
scripts/collect_pr_feedback.pyand provided to the agent for auditing. - Boundary markers: The skill's presentation logic in
SKILL.mdutilizes markdown blockquotes to encapsulate external reviewer feedback, which helps establish a structural boundary between untrusted data and agent instructions. - Capability inventory: The skill possesses the ability to modify local source code (Step 4) and perform authenticated write actions on GitHub (replying to comments, creating issue comments, and resolving threads) via
scripts/apply_resolution_actions.py. - Sanitization: Instructions in
SKILL.mddirect the agent to strip UI chrome and bot footers, but the skill lacks a robust mechanism to sanitize or ignore malicious instructions embedded within natural language feedback text. - [COMMAND_EXECUTION]: The skill executes local Python scripts and system binaries (
ghandgit) to facilitate the PR audit and resolution process. - Evidence: The scripts
scripts/collect_pr_feedback.pyandscripts/apply_resolution_actions.pyutilize the Pythonsubprocessmodule to execute commands. These executions correctly use argument lists rather than shell strings, effectively preventing shell injection vulnerabilities.
Audit Metadata