address-pr-comments
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill ingests PR comments that may contain 'Prompt for AI Agents' blocks, which is a significant surface for Indirect Prompt Injection. Evidence: the validation checklist explicitly directs the agent to read these blocks. • Ingestion points: PR comments fetched via scripts/list_comments.py. • Boundary markers: Headers like 'Prompt for AI Agents' are used but do not prevent the agent from being influenced by malicious instructions within the data. • Capability inventory: File system write access, git commit capabilities, and execution of shell commands for tests and linters. • Sanitization: Relies on manual logic ('Decide Validity') which can be bypassed.
- COMMAND_EXECUTION (LOW): The skill executes a local script (scripts/list_comments.py) and runs tests/checks on code that has been modified based on untrusted external PR feedback. This could lead to arbitrary code execution if an attacker provides a comment that injects malicious logic into a test file that is subsequently executed by the agent.
Audit Metadata