fix-pr-review
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
gh(GitHub CLI) andgitcommands to interact with remote repositories and local files. - Evidence:
gh pr view,gh pr diff,gh api,git add,git commit, andgit pushare executed as part of the primary workflow. - [COMMAND_EXECUTION]: The skill dynamically executes 'verification commands' based on mappings found in local configuration files (
.claude/rules/general.md). - Evidence: Step 4 explicitly directs the agent to 'Run verification commands from the loaded development skill' based on the file types modified in the PR.
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it ingests and acts upon untrusted data from GitHub PR comments.
- Ingestion points: Data enters the agent context through the GitHub API in
SKILL.mdvia commands likegh api repos/{owner}/{repo}/pulls/{pr_number}/reviews/{review_id}/comments. - Boundary markers: No boundary markers or 'ignore embedded instruction' warnings are present to prevent the agent from obeying malicious instructions embedded in review comments.
- Capability inventory: The agent possesses high-impact capabilities including file system modification, repository pushing, and execution of shell commands (verification steps).
- Sanitization: There is no evidence of sanitization, filtering, or validation of the PR comment content before it is processed to determine the 'fix' to be applied.
Audit Metadata