Skills
skills/jackchuka/skills/gh-dep-pr-triage/Gen Agent Trust Hub

gh-dep-pr-triage

Pass

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute project-specific scripts such as lint, format, and typecheck (Phase 3). These commands run against code fetched from remote pull request branches, which could potentially contain malicious code if the PR source is compromised.
  • [EXTERNAL_DOWNLOADS]: In Phase 3, the 'Install dependencies' step triggers downloads from external package registries (like npm or PyPI). The specific packages and versions are determined by the PR's modified lockfiles, which are untrusted external inputs.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests PR descriptions and commit messages that could contain instructions designed to manipulate the agent's behavior.
  • Ingestion points: Untrusted data is read from PR bodies, files, and commits via the gh pr view command in Phase 2.
  • Boundary markers: The skill does not use specific delimiters or instructions to treat the PR content as untrusted data rather than instructions.
  • Capability inventory: The skill has broad capabilities including shell access (gh, git), file system modification (fixing code), and network access (pushing changes and merging PRs).
  • Sanitization: There is no evidence of content sanitization or validation of the PR body before the agent processes it for 'investigation' logic.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 29, 2026, 04:33 PM