Skills
skills/fatih/dotfiles/pr-comments/Gen Agent Trust Hub

pr-comments

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill creates a high-risk surface by ingesting external content and allowing it to drive file system modifications.
  • Ingestion points: The script scripts/fetch-pr-feedback.sh retrieves comments, review_comments, and reviews from the GitHub API. This data is entirely attacker-controlled if an attacker has permission to comment on the repository.
  • Boundary markers: There are no boundary markers or delimiters defined in SKILL.md to isolate the PR feedback from the agent's system instructions.
  • Capability inventory: SKILL.md (Step 5) explicitly authorizes the agent to "read the relevant file(s)" and "make the requested change" based on the external input, granting the untrusted content direct influence over the local codebase.
  • Sanitization: No sanitization or safety-filtering is performed on the ingested PR content before it is processed by the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 07:18 AM