pr-address-bot-reviews
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to act upon feedback from external bots. \n
- Ingestion points: The agent fetches bot-authored reviews and comments using the 'gh' CLI and GitHub API. \n
- Boundary markers: There are no explicit delimiters used to separate untrusted bot content from the agent's primary instructions. \n
- Capability inventory: The agent can modify the filesystem, commit/push code, and run shell commands for testing. \n
- Sanitization: The skill does not sanitize or validate external feedback before processing. \n- [COMMAND_EXECUTION]: The agent is instructed to implement fixes and run tests based on bot comments, creating a risk that malicious suggestions could lead to the execution of harmful shell commands. \n- [DATA_EXFILTRATION]: The 'scripts/pr-thread-reply' script uses the '--body-file' argument to read local files and post them to the PR. An attacker could potentially trick the agent into reading sensitive files and posting their contents publicly.
Audit Metadata