pr-comment-responder
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted PR comments from GitHub and passes them to an orchestrator agent with code-modification capabilities.
- Ingestion points: The skill fetches external comments using get_pr_review_comments.py in Phase 1 and references/workflow.md.
- Boundary markers: PR comments are interpolated into orchestrator prompts without explicit delimiters or warnings to ignore embedded instructions.
- Capability inventory: The skill can post replies via post_pr_comment_reply.py, resolve threads, and delegate code implementations and commits to a subagent.
- Sanitization: No sanitization or escaping of PR comment content is performed before processing.
- [COMMAND_EXECUTION]: The workflow relies on shell commands (e.g., sed, jq, echo) and Python scripts that incorporate variables derived from user prompts and PR data. For example, extract_github_context.py takes the raw user prompt as an argument via the --text flag, and sed -i is used to update local artifacts based on comment metadata, which could be problematic if the input contains unexpected shell metacharacters or delimiters.
Audit Metadata