pr-validity
Warn
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill extracts issue references and repository identifiers from untrusted PR bodies and interpolates them directly into shell commands (e.g.,
gh issue view <ISSUE_NUMBER> --repo <OWNER/REPO>). Without strict validation of the extracted strings, an attacker could include shell metacharacters (e.g.,;,|,&) in a PR description to execute arbitrary commands on the runner. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the handling of external data.
- Ingestion points: The skill ingests untrusted data from the PR body, PR diff (new code constructs), and referenced GitHub issue bodies (Step 1, 2, and 4).
- Boundary markers: Absent. There are no specified delimiters or instructions for the agent to ignore embedded commands within the ingested content.
- Capability inventory: The skill possesses shell execution capabilities via
Bash, file system access viaRead, and the ability to modify project state viagh issue create. It also provides input to a secondary "Explore agent". - Sanitization: Absent. Untrusted construct names and identifiers are interpolated directly into prompts for the Explore agent and used to drive classification logic.
- [COMMAND_EXECUTION]: The skill uses positional arguments like the PR number in commands such as
gh pr view <PR_NUMBER>andgh pr diff <PR_NUMBER>without explicit sanitization, which could lead to command injection if the input source is manipulated.
Audit Metadata