resolve-pr-parallel
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes untrusted content from GitHub PR comments. * Ingestion points: PR comment bodies are fetched using the
gh api graphqlcommand inscripts/get-pr-comments. * Boundary markers: There are no explicit delimiters or instructions provided to the sub-agents to ignore or treat comment content as untrusted data. * Capability inventory: The skill uses high-privilege tools includinggh,git, andbash, which increases the potential impact if an agent obeys instructions hidden in a comment. * Sanitization: Comment text is passed directly to agents without any filtering or validation. - [COMMAND_EXECUTION]: The skill relies on shell script execution (
bash) and the GitHub CLI (gh) to perform its tasks. While this is necessary for functionality, the execution of commands based on parameters derived from PR metadata requires the environment to be secure against command injection.
Audit Metadata