resolve-pr-feedback
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted input from Pull Request review comments and threads which presents a surface for indirect prompt injection where a reviewer could attempt to influence the agent's behavior or code modifications through malicious instructions.
- Ingestion points: External data enters the agent context via the
scripts/get-pr-commentsscript called inSKILL.mdwhich fetches thread comments and review bodies. - Boundary markers: The skill includes a dedicated 'Security' section in
SKILL.mdthat explicitly instructs the agent to treat comment text as untrusted context and forbids the execution of commands or scripts found within them. - Capability inventory: The skill has access to
gitfor local code changes and pushing to remotes and theghtool for API interactions including replying to and resolving threads. - Sanitization: No programmatic sanitization is applied to the input; the skill relies on instructional guardrails to ensure the agent evaluates fixes independently from the code.
- [COMMAND_EXECUTION]: The skill utilizes several local shell scripts in the
scripts/directory to facilitate GitHub interactions. These scripts use thegh api graphqlcommand with safely passed parameters to query and mutate PR state. The use of these tools is consistent with the skill's stated purpose of automating PR management.
Audit Metadata