coderabbit-resolver
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and act upon data from external, untrusted sources (GitHub review comments and CI logs). In
workflows/review-loop.md(Step 1 and 2), the agent is instructed to 'Extract all CodeRabbit review comments', 'Understand' them, and 'Apply' fixes. \n - Ingestion points: GitHub GraphQL API queries for review threads and REST API for review bodies/CI logs.\n
- Boundary markers: None identified; untrusted data is processed directly as instructions.\n
- Capability inventory: Significant capabilities including repository-wide file editing, local command execution (
pnpm validate),git pushaccess, and PR merging (gh pr merge).\n - Sanitization: No validation or sanitization of comment content is performed before applying suggested changes.\n- [Command Execution] (MEDIUM): The skill executes local build and validation tools (
pnpm validate) and potentially arbitrary fix commands during the 'Fix CI Failures' step (workflows/review-loop.mdStep 6d). This allows code defined in a PR (e.g., in apackage.jsonscript or a CI log) to execute with the agent's privileges.\n- [Time-Delayed / Conditional Attacks] (LOW): Thewait-for-ratelimit.shscript parses wait times from external comments and executes asleepcommand. While intended for rate limiting, an attacker could potentially influence the sleep duration to cause a denial-of-service (hanging the agent).
Recommendations
- AI detected serious security threats
Audit Metadata