Skills
skills/edanstarfire/claudecode_webui/github-pr-manager/Gen Agent Trust Hub

github-pr-manager

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • PROMPT_INJECTION (HIGH): Vulnerable to Indirect Prompt Injection (Category 8). The skill processes untrusted external data and has high-privilege write capabilities.
  • Ingestion points: gh pr view (SKILL.md) fetches PR metadata and status from GitHub, which includes attacker-controlled content.
  • Boundary markers: Absent. There are no instructions for the agent to distinguish between PR data and control instructions.
  • Capability inventory: The skill can execute gh pr merge, git push, and gh pr create (SKILL.md).
  • Sanitization: Absent. The agent is instructed to interpret results from gh pr view directly without escaping or validating the content against a schema before making merge decisions.
  • COMMAND_EXECUTION (LOW): The skill uses git and gh (GitHub CLI) for repository management. While these are legitimate tools, the skill generates shell commands by interpolating variables which could be exploited if the agent is successfully subverted via indirect injection.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 07:48 AM