oh-merge
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes powerful shell commands, including
git push --force-with-leaseandgh pr merge --squash, using parameters (PR numbers, branch names) derived from GitHub metadata. These operations are core to the skill's functionality. Remediation: Ensure the agent implementation properly escapes shell arguments to prevent command injection via malicious branch names.\n- [PROMPT_INJECTION]: The skill processes untrusted PR content such as titles and code diffs for automated review. This creates an indirect prompt injection surface where a malicious PR could attempt to subvert the agent's review logic. This risk is minimized by the requirement for a human to apply a specific label before processing.\n - Ingestion points: PR titles, branch names, and code diffs retrieved via
gh pr list(SKILL.md, Step 2 and 5).\n - Boundary markers: No explicit delimiters are used to wrap untrusted PR content in the review prompt.\n
- Capability inventory: History overwriting (
git push --force), PR merging (gh pr merge), and PR base modification (gh pr edit) (SKILL.md, Step 6).\n - Sanitization: The instructions do not define sanitization steps for branch names or PR content before execution.\n- [SAFE]: The skill follows standard development workflows and interacts only with well-known services (GitHub). No obfuscation, data exfiltration, or persistence mechanisms were detected.
Audit Metadata