copilot-pull-request
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection due to its core functionality.
- Ingestion points: Untrusted data enters the agent's context through operations like
fetch-pr-detailsandlist-commentswhich read PR bodies and review threads from GitHub (File:SKILL.md). - Boundary markers: The skill definition lacks any specification for boundary markers or instructions to the agent to disregard natural language commands embedded within the retrieved data.
- Capability inventory: The skill provides powerful write capabilities, including
reply-comment,resolve-thread, and most critically,merge-pr(File:SKILL.md). - Sanitization: There is no evidence of sanitization, filtering, or validation of the external content before it is processed by the agent. An attacker could embed malicious instructions in a PR comment to trick the agent into merging unauthorized code.
Recommendations
- AI detected serious security threats
Audit Metadata