respond
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted user-generated content from GitHub Pull Requests.
- Ingestion points: The skill fetches external data in Step 1 ('Gather All Feedback') using
gh apito retrieve comments fromrepos/$OWNER/$REPO/pulls/$PR/commentsandrepos/$OWNER/$REPO/issues/$PR/comments. - Boundary markers: The skill lacks delimiters or protective instructions (e.g., XML tags or 'ignore' directives) when interpolating fetched content into variables like
[quote]. - Capability inventory: The skill can execute shell commands via the GitHub CLI, spawn additional AI agents via
mcp__moonbridge__spawn_agent, and modify repository configuration files such asCLAUDE.md. - Sanitization: There is no evidence of escaping or validation performed on the fetched feedback before it is passed to sub-agents or used to influence file modifications.
- [COMMAND_EXECUTION]: The skill frequently executes shell commands via the
gh(GitHub CLI) tool. While used for legitimate PR management, the interpolation of external data into shell command blocks (via heredocs and API calls) relies on the LLM's ability to avoid shell metacharacter injection.
Audit Metadata