dependabot-merger
Warn
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs
bashcommands using variables like<original title>,<TICKET_ID>, and<owner/repo>which are derived from external, untrusted sources (GitHub and Jira). There is no instruction to escape or sanitize these strings, creating a direct path for shell command injection if an attacker can influence a PR title or a Jira ticket name. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it reads and processes untrusted data from PR bodies and Jira tickets to make automated merge decisions.
- Ingestion points: PR titles, bodies, and Jira ticket summaries are ingested into the context via
ghandjiraCLI tools (SKILL.md). - Boundary markers: The skill lacks explicit delimiters or instructions to ignore embedded commands or overrides within the ingested data.
- Capability inventory: The agent can execute shell commands, modify repository state (merging/editing PRs), and access local environment variables.
- Sanitization: There is no evidence of sanitization or validation of the ingested strings before they are used to drive decision-making logic or shell execution.
Audit Metadata