Skills
skills/mindgames/skills/gh-pr-audit/Gen Agent Trust Hub

gh-pr-audit

Warn

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill executes code and scripts contained within the target Pull Request. Specifically, the review_pr.py helper script runs pytest and performs syntax checks (using python -m compileall and bash -n) on the checked-out PR content.
  • [COMMAND_EXECUTION]: The instructions in SKILL.md direct the agent to build a check plan by reading files like AGENTS.md, Makefile, and CI workflows from the repository and executing the commands found therein. This allows for arbitrary command execution controlled by the PR content.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because it prioritizes untrusted repository instructions as the 'source of truth'. \n
  • Ingestion points: Pull Request diffs, AGENTS.md, README.md, Makefile, justfile, and GitHub Actions workflow files. \n
  • Boundary markers: None; the instructions explicitly direct the agent to follow guidance found in the PR. \n
  • Capability inventory: System command execution via subprocess (git, gh, pytest) and execution of arbitrary shell commands discovered in the repo. \n
  • Sanitization: None; while the helper script uses list-based subprocess calls for its own logic, the workflow instructs the agent to execute any validation commands it discovers.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 9, 2026, 10:18 PM