describe-pr
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): Step 6 instructs the agent to parse 'verification requirements' from a PR template or description and execute them if they appear to be commands (e.g.,
make check,npm test). Because these sources can be controlled by external contributors or malicious actors, this leads to arbitrary command execution on the host machine. - COMMAND_EXECUTION (MEDIUM): Step 4b executes a local shell script (
aggregate-reasoning.sh) from a path constructed via the$CLAUDE_PROJECT_DIRenvironment variable. If the project directory contains untrusted files, this leads to execution of potentially malicious scripts. - PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted PR diffs and metadata (
gh pr diff) and processes them without sanitization or boundary markers. This untrusted data directly influences the agent's decision to execute commands in Step 6.
Recommendations
- AI detected serious security threats
Audit Metadata