address-pr-feedback
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
ghandgitCLI tools to interact with GitHub, fetch PR data, create issues, and push code changes. It also dynamically executes local test runners (e.g.,npm test,pytest) identified from the project configuration to verify fixes. - [PROMPT_INJECTION]: The skill exhibits a surface for Indirect Prompt Injection (Category 8) because it ingests and acts upon untrusted data from GitHub PR comments.
- Ingestion points: PR review comments and conversation threads are fetched via the GitHub API in Step 2 of
SKILL.md. - Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands within the processed comment text.
- Capability inventory: The agent has the capability to read/write files, execute shell commands for testing, and push code to the remote repository (Steps 4 and 5 in
SKILL.md). - Sanitization: No sanitization or filtering of the comment content is performed beyond basic noise reduction (length/author checks).
- Mitigation: A critical mitigation is the mandatory user confirmation step in Step 3, where the agent is required to present its categorization and rationale to the user and wait for explicit confirmation before proceeding with any code modifications.
Audit Metadata