github-pr
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The merge and test commands in scripts/github-pr.py execute code from untrusted external sources.
- The script runs package manager installation commands (npm install, pnpm install, yarn install, bun install) and build scripts (npm run build) on code fetched from GitHub Pull Requests via git fetch. This allows a malicious PR author to execute arbitrary code on the local machine via lifecycle scripts or build definitions.
- [COMMAND_EXECUTION]: The script uses subprocess.run to execute system commands including git, gh, and package managers.
- While command arguments are passed as lists to prevent shell injection, the logic allows for the execution of arbitrary scripts defined within the fetched PR code (e.g., via npm run build).
- [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection by processing untrusted PR metadata.
- Ingestion points: PR titles, descriptions, and comments are fetched in get_pr_info and displayed to the agent.
- Boundary markers: The script does not use specific delimiters or instructions to prevent the agent from obeying instructions hidden within the PR data.
- Capability inventory: The script has extensive capabilities including file system modification via git and arbitrary command execution via package managers.
- Sanitization: No sanitization or validation is applied to the metadata retrieved from GitHub.
Audit Metadata