fix-review
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests untrusted text from GitHub PR comments to generate and apply code fixes. 1. Ingestion points: PR comments are fetched externally using 'gh api' in SKILL.md. 2. Boundary markers: The skill does not define clear boundaries or 'ignore' instructions for the comment bodies before they are processed by the agent. 3. Capability inventory: The skill utilizes the 'Bash', 'Read', 'Edit', and 'Write' tools, providing a significant surface for potentially malicious file modifications or command execution. 4. Sanitization: The risk is partially mitigated by a mandatory human-in-the-loop confirmation step described in the 'Apply fixes' section, requiring the user to approve changes before they are committed to the filesystem.
- [COMMAND_EXECUTION]: The skill uses the 'Bash' tool to execute 'gh' CLI commands (gh pr view and gh api) to interact with the GitHub environment. While these commands are necessary for the skill's functionality, they represent the execution of external binaries based on repository state.
Audit Metadata