prepare-pr
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the ingestion of
.local/review.json. The agent is instructed to "Fix all required findings" based on the content of thefixfield in this JSON. If the review data is influenced by an attacker (e.g., via a malicious PR that an automated reviewer then processes into this file), it could contain instructions that lead the agent to perform unauthorized actions during the fix phase. - Ingestion points: The file
.local/review.jsonis read usingjqto extract findings and fix instructions. - Boundary markers: Absent; there are no instructions or delimiters used to ensure the agent treats the JSON content as data rather than instructions.
- Capability inventory: The skill allows for command execution via
scripts/pr-prepare, file modifications during the fix phase, and git commits viascripts/committer. - Sanitization: None; the agent directly acts upon the strings retrieved from the JSON fields.
- [COMMAND_EXECUTION]: The skill's primary workflow involves executing multiple shell scripts (
scripts/pr-prepare,scripts/committer) and CLI utilities (jq,ls) to manage the repository state and PR metadata. - [NO_CODE]: The core functional logic of the skill is encapsulated in external script files (
scripts/pr-prepareandscripts/committer) which are not included in the provided source code. This limits the ability to verify the specific internal behaviors of those scripts.
Audit Metadata