fix-coderabbit-review
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses several command-line tools including git, gh (GitHub CLI), pnpm, and python3. These are used to manage the repository, interact with GitHub's API, and perform text manipulation within the generated markdown files.
- [EXTERNAL_DOWNLOADS]: The scripts communicate with GitHub's REST and GraphQL APIs to fetch pull request metadata and review comments. This operation is scoped to the target repository and uses the GITHUB_TOKEN provided in the execution environment.
- [PROMPT_INJECTION]: A vulnerability to indirect prompt injection exists in the thread resolution logic. The script resolve_pr_issues.sh uses a regular expression to extract Thread IDs from markdown files that include raw, untrusted PR comment bodies. This allows an attacker with PR comment access to inject spoofed Thread ID markers and influence which threads are marked as resolved.
- Ingestion points: PR and issue comments are fetched from GitHub and saved in ai-docs/reviews-pr-<PR_NUMBER>/issues/*.md.
- Boundary markers: Absent. The extraction script parses the entire file and does not distinguish between the script-generated metadata and the untrusted comment content.
- Capability inventory: The skill can perform GitHub API mutations via the gh CLI, specifically resolveReviewThread.
- Sanitization: Absent. Extracted strings are passed directly to the gh command arguments, though the gh CLI's parameter handling reduces the risk of direct shell command injection.
Audit Metadata