land
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it monitors and implements logic based on untrusted inputs from GitHub pull request descriptions and review comments. An attacker could use these fields to inject malicious instructions that the agent would then execute with its code-writing and repository-merging capabilities.
- Ingestion points: Ingests PR titles, bodies, and review comments via
gh pr viewandgh apiinSKILL.mdandland_watch.py. - Boundary markers: No boundary markers or 'ignore' instructions are used when processing external comments.
- Capability inventory: The agent can execute shell commands, commit code, push to remote branches, and squash-merge PRs.
- Sanitization: While terminal output is sanitized for control characters in
land_watch.py, the logical content of instructions from comments is not validated or filtered. - [COMMAND_EXECUTION]: The skill executes repository-local build scripts (
npm run compile,npm run lint,npm run test:unit) and a local Python helper script (land_watch.py), which allows for the execution of arbitrary code defined within the repository context.
Audit Metadata