fix-pr-comments
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill treats external GitHub PR comments as trusted instructions for code modification. * Ingestion points: 'gh api' and 'gh pr review list' calls in the 'FETCH COMMENTS' phase of SKILL.md. * Boundary markers: None present; instructions mandate addressing 'ALL' unresolved review comments. * Capability inventory: 'Edit', 'MultiEdit', 'Bash(git :)', and 'Bash(gh :)' in SKILL.md. * Sanitization: None; the agent is directed to 'Make EXACTLY what reviewer requested' and push changes.
- [Command Execution] (MEDIUM): The skill uses broad 'gh' and 'git' bash capabilities to interact with the repository and remote host. While standard for the task, these capabilities are directly triggered and controlled by untrusted data from PR comments.
Recommendations
- AI detected serious security threats
Audit Metadata