autofix
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to ingest and execute instructions from external sources, presenting a surface for indirect prompt injection.
- Ingestion points: Instructions are retrieved from the
AGENTS.mdfile in the local repository and from specific sections of GitHub Pull Request comments (labeled "Prompt for AI Agents") authored by CodeRabbit bots (coderabbitai,coderabbit[bot],coderabbitai[bot]). - Boundary markers: The skill lacks explicit boundary markers or delimiters when processing these external prompts; it is instructed to follow the agent prompts literally.
- Capability inventory: The agent possesses capabilities to modify local files (via the
Edittool), execute shell commands (git,gh), and perform GitHub API operations such as commenting and reacting. - Sanitization: No validation or sanitization is performed on the content retrieved from
AGENTS.mdor PR comments before the agent processes them as instructions. - [COMMAND_EXECUTION]: The skill performs several shell-based operations necessary for its workflow:
- Executes
gitcommands for status checks, branch identification, commits, and pushes. - Uses the
gh(GitHub CLI) to list Pull Requests, fetch thread data via GraphQL, and post summary comments. - Offers to execute build, lint, or test commands as specified in the repository's
AGENTS.mdfile during the validation step.
Audit Metadata