backport-pr-assistant
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary function is to ingest and process external, untrusted data from pull requests and conflict markers to perform backports.
- Ingestion points: Reads pull request data and conflicting code files (SKILL.md).
- Boundary markers: None. The instructions do not specify any delimiters or safety warnings to ignore embedded instructions in the PR content or code.
- Capability inventory: Execution of
backportandgitcommands; modification of local files during conflict resolution. - Sanitization: None. The agent is encouraged to 'read the conflicting files' and 'understand' them, which is a direct path for prompt injection via code comments or PR descriptions.
- Command Execution (MEDIUM): The skill explicitly instructs the agent to execute shell commands (
backport,git add,backport --continue) to perform its tasks. While necessary for the stated purpose, this provides the execution vehicle for any successful prompt injection attack.
Recommendations
- AI detected serious security threats
Audit Metadata