fix-pr-comments
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and acts upon untrusted data from GitHub PR comments.
- Ingestion points: Fetches inline and general PR comments using 'gh api' and 'gh pr view' as described in SKILL.md.
- Boundary markers: There are no delimiters or 'ignore' instructions specified to prevent the agent from obeying commands embedded within the fetched comments.
- Capability inventory: The skill uses 'Bash', 'Write', and 'Edit' tools, which allow the agent to execute shell commands (like 'npm test') and modify any file in the repository.
- Sanitization: No sanitization, escaping, or validation of the comment content is performed before the agent processes it to create tasks.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute various local commands.
- Evidence: Runs 'git branch', 'gh pr view', 'gh api', and 'npm test'. These commands are used to manage the PR workflow and verify the integrity of the fixes.
Audit Metadata