auto-pr-pipeline
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It processes untrusted data from PR comments, review threads, and repository configuration files as described in Phase 0 of
SKILL.mdandreferences/review-and-merge.md. This data can influence the agent's 'Decision Engine'. - Ingestion points: PR comments, review decisions, and repository metadata (e.g.,
package.json, workflow files). - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the processing logic.
- Capability inventory: The skill can execute arbitrary shell commands (via git/gh/npm), perform file operations, and push changes to remote repositories.
- Sanitization: No evidence of sanitization or validation of external text before it is used to determine the next action.
- [COMMAND_EXECUTION]: The skill executes shell commands based on the detected repository environment (e.g., running tests via
npm,pytest,tox). While it attempts to use 'repo-native' checks to avoid generic execution, it effectively executes code defined in the repository being processed. - [SAFE]: The skill implements security best practices by defining 'Hard Blockers' in
references/blockers-and-recovery.mdfor findings related to secrets, tokens, or private keys, and explicitly instructs against committing.envfiles inreferences/commit-strategy.md.
Audit Metadata