resolve-pr-comments
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted PR comments and uses them to drive code changes and repository actions.
- Ingestion points: Review comments are fetched from external PRs via the
pull-request-toolas described in Phase 1 (Discovery) of SKILL.md. - Boundary markers: Absent. The instructions do not define clear boundaries or 'ignore' directives between the tool's logic and the data fetched from external comments.
- Capability inventory: The skill is capable of filesystem modifications ('Make code changes'), Git operations ('Commit all changes', 'Push to PR branch'), and thread management ('Mark as resolved') via the pull-request-tool.
- Sanitization: Absent. The agent is instructed to 'Review the feedback', 'Understand the request', and 'Take action', which treats untrusted data as valid instructional input.
- Command Execution (MEDIUM): The workflow involves high-impact operations that modify the repository state. Although performed through composed skills, the sequence is triggered by and operates on untrusted external data.
- Interaction Modes (MEDIUM): The
yolointeraction mode (autonomous resolution) specifically removes human oversight, allowing the agent to perform high-impact code changes and pushes automatically based on potentially malicious comments.
Recommendations
- AI detected serious security threats
Audit Metadata