flywheel-qa
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection attacks because it ingests and processes untrusted data from external sources.
- Ingestion points: Pull Request comments and branch names are retrieved via the
ghCLI tool. - Boundary markers: No delimiters or instructions are provided to the agent to distinguish untrusted external content from system instructions.
- Capability inventory: The skill possesses the ability to write to Pull Requests using
gh pr commentand interact with web pages via the Agent Browser. - Sanitization: The retrieved PR data is used directly in logic without validation or sanitization.
- [COMMAND_EXECUTION]: The skill executes shell commands using the GitHub CLI (
gh). While necessary for the skill's primary function, these commands are constructed using variables derived from Pull Request data, creating a potential command injection vector if the input is not strictly controlled.
Audit Metadata