gh-pr-review-responder
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The workflow defined in
SKILL.mdinstructs the agent to runpnpm lint && pnpm testafter implementing code changes. This capability executes scripts defined within the repository'spackage.json, which could be exploited if an attacker influences the code changes via malicious PR comments. - [PROMPT_INJECTION]: The skill is subject to indirect prompt injection because it reads and acts upon external, untrusted data from GitHub review comments.
- Ingestion points:
scripts/fetch_review_threads.pyextracts comment bodies using the GitHub GraphQL API, which are then processed by the agent to decide on code changes. - Boundary markers: There are no explicit technical delimiters or instructions to the agent to treat the comment text as untrusted data or to ignore embedded instructions.
- Capability inventory: The skill allows the agent to modify files, execute shell commands (
pnpm), and perform network operations via theghCLI (scripts/reply_review_thread.py). - Sanitization: While the
references/keep-discard-rubric.mdprovides a logical framework for human-like triage, there is no automated sanitization or filtering of the comment content to prevent it from influencing the agent's logic.
Audit Metadata