gh-dep-pr-triage
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from GitHub Pull Request bodies and commits without sanitization or boundary markers.
- Ingestion points: In Phase 2, the skill uses
gh pr view <number> --json body,files,commitsto fetch PR data from external sources. - Boundary markers: The skill does not use specific delimiters or instructions to ignore instructions embedded in the PR data.
- Capability inventory: The agent has capabilities to execute shell commands (
git,gh), approve and merge PRs, and run project-specific scripts (npm install,lint,format). - Sanitization: The skill does not perform any validation or filtering of the ingested PR content before analysis.
- [COMMAND_EXECUTION]: The skill executes local commands and project-defined scripts on PR branches, which could result in arbitrary code execution if a PR contains malicious code or hooks.
- Evidence: Phase 3 describes a workflow that includes
git worktree add, installing dependencies, and running various scripts (lint,format,typecheck) defined within the repository's configuration. - [EXTERNAL_DOWNLOADS]: The skill triggers the installation of external packages via the project's package manager as part of its automated triage process.
- Evidence: Phase 3 includes an 'Install dependencies' step which fetches code from external registries.
Audit Metadata