greploop
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves review comments through the GitHub API and instructs the agent to automatically apply suggested fixes to the codebase. An attacker who can influence the PR comments could potentially inject instructions that the agent would then commit to the repository. * Ingestion points: Pull Request reviews and comments fetched via 'gh api' in SKILL.md. * Boundary markers: None; the agent processes comment text directly. * Capability inventory: File modification, 'git push', and 'gh api' GraphQL mutations in SKILL.md. * Sanitization: None; no validation of comment content is performed.
- [COMMAND_EXECUTION]: The skill utilizes 'git' and 'gh' (GitHub CLI) for repository management. These tools allow the agent to push code, check PR status, and interact with the GitHub API, providing the necessary capabilities for PR automation but requiring proper repository access controls.
Audit Metadata