pull-requests
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to execute several local shell scripts located in the
./scripts/directory, includingwait_pr_ready.sh,check_codex_comments.sh, andresolve_pr_comment.sh. It also makes extensive use of thegitandgh(GitHub CLI) command-line tools to interact with the repository and manage pull requests. These operations are core to the skill's functionality but represent a significant capability tier. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It is instructed to retrieve and process pull request comments and status information, which may contain untrusted data provided by external contributors that could influence the agent's logic during its iteration loops.
- Ingestion points: Pull request comments and metadata are ingested via the
check_codex_comments.shscript and theghtool. - Boundary markers: Absent. There are no instructions or delimiters used to separate untrusted comment content from the agent's internal instructions.
- Capability inventory: The skill can execute local shell scripts, perform git operations (commit, push, rebase), and update pull request bodies/comments.
- Sanitization: Absent. The skill does not implement any validation or sanitization of the content found in pull request comments before processing them.
Audit Metadata