pr-comments
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill triages untrusted content from human and bot-generated PR comments and reviews, using it to create fix plans and subagent instructions.
- Ingestion points: The skill fetches review threads, comments, and reviews via the GitHub API as described in SKILL.md and references/github-api.md.
- Boundary markers: The subagent prompt template in Phase 4b interpolates finding and approach data into a prompt but lacks robust delimiters or explicit instructions to ignore embedded malicious commands within the comment body.
- Capability inventory: The skill has the capability to perform file system writes, execute local CLI commands (lint/test), and push to remote Git repositories.
- Sanitization: A mandatory human-in-the-loop checkpoint in Phase 3 requires the user to review and approve the fix plan before any automated execution occurs, providing a critical safety gate against accidental execution of malicious instructions.
- [COMMAND_EXECUTION]: The skill facilitates the execution of local terminal commands to verify code changes.
- Evidence: Phase 4d of SKILL.md instructs the agent to run project-specific lint and test commands if available before pushing changes.
Audit Metadata