pr-fix
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
gitand the GitHub CLI (gh) to perform repository management operations including rebasing, force-pushing code, and updating pull request metadata. These actions are standard for the skill's purpose but involve high-privilege operations on the repository. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection as it reads and acts upon unvetted data from GitHub pull request descriptions and comments.
- Ingestion points: The skill fetches PR descriptions using
gh pr viewand review comments using the GitHub API (repos/$OWNER/$REPO/pulls/$PR/comments). - Boundary markers: There are no explicit delimiters or instructions provided to the agent to treat ingested text as untrusted or to ignore embedded instructions.
- Capability inventory: The agent can execute
git push --force-with-lease,gh pr edit, andgh pr comment, which could be exploited if a malicious actor embeds instructions in a PR comment that the agent then follows during conflict resolution or review addressing. - Sanitization: No sanitization, validation, or filtering of the ingested external text is documented before the content is processed by the agent.
Audit Metadata