pr-triage
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Employs the GitHub CLI (gh) and git to perform repository operations, including viewing repository details, listing open and merged pull requests, and fetching code diffs.
- [COMMAND_EXECUTION]: Programmatically accesses system clipboard utilities such as pbcopy, xclip, or wl-copy to export the generated triage summary for the user's convenience.
- [PROMPT_INJECTION]: Contains a surface for Indirect Prompt Injection (Category 8) when processing external pull request data.
- Ingestion points: Repository data including PR titles, descriptions (body), and code differences (diff) are consumed as untrusted input from the GitHub API.
- Boundary markers: The instructions for the code-reviewer sub-agent interpolate the PR body and diff into the prompt without using secure delimiters or isolation techniques.
- Capability inventory: The skill has the ability to post comments to GitHub, which could be exploited if the AI is successfully manipulated by content in the PR.
- Sanitization: There is no evidence of sanitization or filtering applied to the PR content prior to its inclusion in the LLM prompt.
- Mitigation: The workflow effectively mitigates the threat through a 'human-in-the-loop' validation phase, ensuring that no comments are posted without the user's explicit review and consent.
Audit Metadata