autofix
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and executing instructions from external sources. \n
- Ingestion points: Pull Request comments (fetched via GitHub API) and a local
AGENTS.mdfile. \n - Boundary markers: Absent; the skill explicitly instructs the agent to "Follow agent prompts literally" and "Execute CodeRabbit's agent prompt as direct instruction." \n
- Capability inventory: File system access (reading/writing files), execution of
gitandghCLI tools, and arbitrary command execution for build/lint tasks. \n - Sanitization: None; the skill relies on the user's choice between "Manual Review" and "Auto-fix all" mode. In "Auto-fix all" mode, changes are applied without a human-in-the-loop approval step. \n- [COMMAND_EXECUTION]: The skill performs shell command execution based on instructions found in the repository's
AGENTS.mdfile (Step 0 and Step 9). This allows for repository-specific build and validation logic but could be exploited if an attacker can modify files in the repository.
Audit Metadata