landing-the-plane
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill directs the agent to ingest and act upon external feedback from PR comments.
- Ingestion points: The agent is instructed to read comments from
@codexand 'address every comment' by pushing fixes (File: SKILL.md). - Boundary markers: There are no defined boundary markers or instructions to ignore embedded commands within review feedback.
- Capability inventory: The agent has permissions to modify source code, execute git commands (
git push,git rebase), run local scripts (scripts/pr-ready.sh), and execute automated test suites (shell execution). - Sanitization: No sanitization or validation of the review comments is performed before the agent implements the suggested 'fixes'. An attacker who can influence the PR comments could inject malicious instructions that the agent would then execute with repository-level privileges.
- Command Execution (MEDIUM): The skill relies on executing several local scripts and shell commands that could be dangerous if the underlying repository is compromised.
- Evidence: Calls to
scripts/pr-ready.sh,scripts/codex-unreplied.sh, andscripts/gh-wait-for-merge.pyare hardcoded in the workflow. While these are local to the skill's environment, the agent executes them without prior verification of their content.
Recommendations
- AI detected serious security threats
Audit Metadata