pr-learning
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
gh(GitHub CLI) tool via the Pythonsubprocessmodule to retrieve repository and pull request data. These executions use argument lists rather than shell strings, which mitigates shell injection risks. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted data from GitHub.
- Ingestion points: Untrusted data in the form of PR comments, review threads, and commit headlines is ingested via
scripts/collect_feedback.pyusing the GitHub API. - Boundary markers: The analysis process lacks delimiters or specific instructions to the agent to disregard embedded commands when evaluating the PR feedback for rule candidates.
- Capability inventory: The skill is capable of modifying persistent configuration files (
AGENTS.md,CLAUDE.md) in the project directory and the user's home directory (~/.codexor~/.claude) throughscripts/codify_learnings.py. - Sanitization: While
scripts/common.pyprovides basic text normalization, it does not include sanitization or filtering to prevent the codification of malicious instructions hidden in the PR metadata or comments.
Audit Metadata