fetch-pr-feedback
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from GitHub PR comments and passing it to the
receive-feedbackskill for evaluation and execution. - Ingestion points: Comments are retrieved from the GitHub API in Step 3 of
SKILL.md(repos/$OWNER/$REPO/issues/$PR_NUMBER/commentsandrepos/$OWNER/$REPO/pulls/$PR_NUMBER/comments). - Boundary markers: The skill organizes data using Markdown headers (e.g.,
## Reviewer: ...), but lacks explicit instructions to the subsequent skill to ignore embedded commands or system instructions within the comment bodies. - Capability inventory: The ingested data is passed to
beagle-core:receive-feedback, which is described as having the capability to 'verify -> evaluate -> execute' instructions derived from the feedback. - Sanitization: The skill performs regex-based cleaning (
clean_bodyin the jq filters) to remove bot-specific metadata and boilerplate, but this does not sanitize the text against natural language prompt injection attacks. - [COMMAND_EXECUTION]: The skill dynamically generates
jqscript files at runtime and executes them to process data. - Evidence: In Step 3, the skill uses shell redirection (
cat > /tmp/issue_comments.jq) to write complex filtering logic to temporary files, which are then executed using thejq -fflag. - [COMMAND_EXECUTION]: The skill relies extensively on the GitHub CLI (
gh) to perform repository operations and fetch authenticated user data. - Evidence: Multiple calls to
gh pr view,gh repo view,gh api user, andgh api --paginateare used to populate environmental variables and retrieve external content.
Audit Metadata