iterate-pr
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): Detected surface for indirect prompt injection. The skill is designed to fetch external, untrusted content (CI failure logs and PR review comments) and act upon it by modifying source code. An attacker could potentially embed malicious instructions in CI logs or PR comments to influence the agent's behavior.
- Ingestion points: CI failure snippets extracted by
scripts/fetch_pr_checks.pyand PR review feedback fetched byscripts/fetch_pr_feedback.py. - Boundary markers: Absent. The agent receives the external text without boundary delimiters or instructions to ignore embedded commands.
- Capability inventory: The agent has permissions to read/edit files and perform git operations (commit/push), providing a significant impact path for malicious instructions.
- Sanitization: Absent. Logs are filtered for failure markers but the resulting text is not sanitized or escaped for instructional content.
- COMMAND_EXECUTION (SAFE): The skill interacts with the GitHub CLI (
gh) and Git usingsubprocess.runwith list-based arguments. This approach is secure as it avoids shell interpretation and prevents common injection vulnerabilities.
Audit Metadata