fix-pr
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It fetches review comments and PR comments using the GitHub API (
gh api) and processes this untrusted text to generate code fixes. An attacker with commenting permissions could provide malicious instructions that the AI might execute. \n - Ingestion points: GitHub API calls for reviews and comments in
SKILL.md. \n - Boundary markers: None present to distinguish between instructions and data. \n
- Capability inventory: File reading/writing, shell command execution (
bun,gh,git), and repository pushing. \n - Sanitization: None. \n- [COMMAND_EXECUTION]: The skill executes multiple shell commands (
bun run test,bun run build,bunx biome) to verify fixes. Since these commands are run on code modified based on untrusted external comments, it creates a vector for executing malicious logic if the AI is successfully injected.
Audit Metadata