follow-up-on-pr
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted input from PR descriptions, comments, and CI logs to guide its actions. An attacker could craft a PR with malicious instructions in these fields to influence the agent's behavior. 1. Ingestion points: Pull Request metadata and comments are fetched via FetchUrl or gh pr view in SKILL.md. 2. Boundary markers: No explicit delimiters or instructions are used to separate untrusted PR data from the agent's internal logic. 3. Capability inventory: The skill can execute shell commands (git, gh, build tools) and perform network operations (git push, GitHub API). 4. Sanitization: There is no evidence of sanitization or filtering for the external PR content before it is processed.
- [COMMAND_EXECUTION]: In the 'Run Local CI Checks' workflow step, the skill identifies and executes build and test commands (such as npm run test, pytest, cargo test) by reading configuration files like package.json or Makefile directly from the repository. A malicious repository or PR could modify these files to execute arbitrary code when the skill attempts to run local checks.
Audit Metadata