Skills
skills/elie222/inbox-zero/pr-watch/Gen Agent Trust Hub

pr-watch

Pass

Audited by Gen Agent Trust Hub on Mar 21, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes multiple GitHub CLI (gh) commands and GitHub API requests to fetch PR metadata, review comments, and CI/CD check status.
  • Evidence: Use of gh pr view, gh repo view, and various gh api calls in SKILL.md to interact with GitHub's infrastructure.
  • [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting and acting on untrusted data from GitHub PR comments.
  • Ingestion points: Untrusted PR review and conversation comments are fetched via the GitHub API in SKILL.md and passed into the agent's context during the loop execution.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are provided when the agent is prompted to "Evaluate the suggestion" and "fix the code" based on the comment body.
  • Capability inventory: The agent possesses the capability to read PR data, execute system commands through the GitHub CLI, modify files in the repository (confirming fixes), and potentially push changes to remote branches.
  • Sanitization: No sanitization or content validation is performed on the comment text before it is evaluated by the model, allowing an attacker to potentially influence the agent's behavior through malicious PR comments.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 21, 2026, 10:21 AM