dependabot-pr-automation
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its interaction with untrusted pull request data.
- Ingestion points: The skill ingests data including pull request titles, labels, and file lists from the chainloop-dev/chainloop repository via mcp__github__list_pull_requests and mcp__github__get_pull_request_files.
- Boundary markers: There are no explicit instructions or delimiters defined to prevent the agent from following instructions that might be embedded within pull request titles or descriptions.
- Capability inventory: The skill has significant capabilities, including the ability to approve and merge pull requests and execute Bash commands.
- Sanitization: There is no mention of sanitization, validation, or escaping of the input data retrieved from the GitHub API before it is processed by the logic.
- [COMMAND_EXECUTION]: The skill includes Bash in its allowed-tools. While the instructions primarily focus on GitHub API interactions, the combination of shell access and the processing of external pull request metadata creates a potential attack surface for command injection if the agent is manipulated by malicious input.
Audit Metadata