review-changes
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external sources and uses it to guide the agent's behavior.\n
- Ingestion points: The skill fetches PR metadata (titles, descriptions, comments) via
gh pr viewand Jira ticket details viaacli jira workitem viewin SKILL.md.\n - Boundary markers: The instructions lack explicit delimiters or warnings for the agent to ignore instructions contained within the fetched external content.\n
- Capability inventory: The agent has the ability to post comments back to GitHub using GraphQL mutations and can spawn sub-agents to process data.\n
- Sanitization: There is no evidence of sanitization or validation of the external content before it is processed or used in subsequent steps.\n- [COMMAND_EXECUTION]: The skill generates shell commands for GitHub and Atlassian CLIs by interpolating variables such as PR numbers, repository names, and Jira IDs.\n
- Evidence: Commands like
gh pr view <number> --repo <owner/repo>andacli jira workitem view <JIRA-ID>are constructed using data derived from user input or PR metadata.\n - Risk: If the source metadata contains shell metacharacters and the execution environment does not properly escape these values, it could allow for arbitrary command execution.
Audit Metadata