pr-comments
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill ingests untrusted data from GitHub PR comments and interpolates it directly into prompts for subagents.\n
- Ingestion points: Phase 1b and 1d in
SKILL.mdfetch comment bodies from GitHub review threads and issue comments.\n - Boundary markers: Absent. Untrusted comment content is placed directly into a text template for the Task tool without delimiters or instructions to ignore embedded commands.\n
- Capability inventory:
gh api(PR management),docker compose exec(validation), andTask(autonomous code modification) inSKILL.md.\n - Sanitization: Absent. No filtering or escaping is applied to the comment body before it is used to describe tasks to subagents.\n- Command Execution (SAFE): The skill uses standard CLI tools (
gh,docker) for repository management and testing.\n - Evidence: Phases 1 and 4 use the GitHub CLI for data retrieval and state modification. Phase 4c uses Docker for validation.\n
- Context: These operations are consistent with the skill's stated purpose of triaging and fixing PR issues.
Audit Metadata