yeet
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (HIGH): The workflow includes an instruction to 'install dependencies and rerun once' if checks fail. This allows for automatic execution of package manager commands (e.g.,
npm install,pip install) which typically execute arbitrary lifecycle scripts. In the context of a malicious repository, this provides an immediate path to system compromise. - REMOTE_CODE_EXECUTION (HIGH): In SKILL.md, the instruction to 'run pr-body.md' is a critical risk. If the agent interprets 'run' as a command-line execution, and the contents of that file are generated based on untrusted codebase diffs or user-provided descriptions, it creates a direct Remote Code Execution (RCE) vector.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill facilitates the download and installation of unverifiable third-party packages from external registries (Category 4). While the author 'openai' is a trusted source, the [TRUST-SCOPE-RULE] dictates that this only downgrades the download finding itself, not the dangerous behavior of executing those downloads.
- PROMPT_INJECTION (HIGH): This skill is highly susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: The skill processes codebase diffs and file content to generate PR descriptions.
- Boundary markers: None are present to distinguish between instructions and data.
- Capability inventory: The agent has the ability to install dependencies, push code to remote repositories, and execute local files ('run pr-body.md').
- Sanitization: No sanitization or escaping of the diff content is performed before generating the description or running the file.
- DYNAMIC_EXECUTION (MEDIUM): The instruction to write a PR description to a temporary file and then 'run' it constitutes dynamic code generation and execution (Category 10).
Recommendations
- AI detected serious security threats
Audit Metadata