github-pr-fix
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it interprets external PR comments and review threads as instructions to fix code. • Ingestion points: The skill ingests 'review_threads' and 'comments' artifacts from the manifest file in 'references/pr-fix-workflow.md'. • Boundary markers: No delimiters or instructions to ignore embedded commands are used when processing PR feedback. • Capability inventory: The skill executes the 'ghx.sh' script and 'relevant verification commands' (e.g., builds/tests) which involve subprocess execution. • Sanitization: No sanitization or validation of the PR comment content is mentioned in the workflow.
- [COMMAND_EXECUTION]: The skill performs command execution by calling the author-provided 'ghx.sh' script and running dynamic 'verification commands' to confirm fixes. This represents a capability that could be exploited if the PR content or review feedback influences the commands being executed.
Audit Metadata