heal-pr
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of local CLI tools including
gitandgh(GitHub CLI) to perform repository operations, modify PR metadata, and interact with the GitHub API. These operations are essential to the skill's primary function of healing Pull Requests. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through external data sources.
- Ingestion points: The agent is instructed to read content from
gh api(pull request comments and reviews) andgh run view --log-failed(CI/CD logs). Both sources can contain arbitrary text provided by external contributors or malicious code outputs. - Boundary markers: The instructions lack delimiters or system-level warnings to ignore or isolate instructions embedded within the PR comments or logs.
- Capability inventory: The agent has the authority to perform
git push, modify code viagit rebase, and update PR descriptions/comments usinggh pr editandgh apiPOST/PATCH methods. - Sanitization: No sanitization or validation logic is present to filter executable instructions or malicious prompts from the ingested data before the agent acts upon it.
Audit Metadata