seer-code-review
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to indirect prompt injection by ingesting untrusted data from GitHub PR comments.\n
- Ingestion points: The agent fetches comments using
gh apiinSKILL.md(Phase 1). This data is controlled by anyone who can comment on the PR or influence the bot.\n - Boundary markers: Absent. The instructions do not specify any delimiters or warnings to ignore instructions embedded within the fetched comments.\n
- Capability inventory: The skill can modify source code using the
Edittool and push changes viagit push. Most dangerously, Phase 3 ("Test the Analysis") directs the agent to "write a test case or scenario," which could lead to the generation and execution of malicious code derived from an injection attack.\n - Sanitization: Absent. No filtering or validation of the comment content is performed before the agent uses the data to perform logic or code edits.\n- COMMAND_EXECUTION (MEDIUM): The skill executes multiple shell commands (
gh,git) using parameters (PR numbers, branch names, repository paths) extracted from the environment or external inputs. While the target (GitHub) is generally trusted, the lack of explicit validation on these strings could allow for command injection if the underlying CLI tools are manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata