fix-pr-reviews
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data (GitHub PR comments) and uses it to modify the codebase.
- Ingestion points: PR comments fetched via GitHub API (
gh api) and user-provided markdown files (SKILL.md). - Boundary markers: Absent. The skill does not implement delimiters or explicit instructions to the LLM to ignore embedded commands within the fetched comments.
- Capability inventory: The skill has the ability to write to the filesystem, commit changes, and push to a remote repository (
git push). - Sanitization: None. The skill relies on the LLM's internal triage logic to distinguish between valid fixes and malicious suggestions without programmatic validation.
- [COMMAND_EXECUTION]: The skill executes multiple system commands to interact with the environment.
- It uses the GitHub CLI (
gh) to fetch data from remote servers. - It uses
gitcommands (add,commit,push,pull --rebase) to modify the repository state based on the processed external data.
Audit Metadata