pr-fix
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Shell command templates in the instructions (e.g.,
echo "$ARGUMENTS" | grep ...andgh pr view <PR_NUMBER>) do not specify sanitization for variables derived from user input or extracted from the conversation context. This presents a risk of command injection if these variables contain shell metacharacters. - [REMOTE_CODE_EXECUTION]: The workflow involves running arbitrary project scripts (
bun run test,bun run lint:fix) and building native modules (npx electron-rebuild). Executing code from the repository being processed is a significant risk if the repository contains malicious configurations. - [EXTERNAL_DOWNLOADS]: Tools like
npxandbunxare used to fetch and execute packages from public registries during the fixing process, which can be an entry point for supply chain attacks. - [PROMPT_INJECTION]: The skill processes untrusted PR review reports to drive code changes, which is a vector for indirect prompt injection.
- Ingestion points: PR Review Report in the conversation session (Step 0, Step 1).
- Boundary markers: None; the skill relies on Markdown table structures without strict isolation.
- Capability inventory: File system read/write, shell execution, and network access via GitHub CLI (Step 3, 5, 8).
- Sanitization: Triage and validation logic (Step 4) and a full quality gate (Step 6).
Audit Metadata