pr-review-fix
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It ingests data from external, potentially attacker-controlled sources such as Pull Request titles, review comments, and CI logs.
- Ingestion points:
references/discovery.md(lines 14, 38, 47, 53) fetches PR lists, check results, failed logs, and review comments. - Boundary markers: No delimiters or safety instructions are provided to the agent to treat this external content as untrusted.
- Capability inventory: The skill has powerful capabilities, including executing build/test scripts (
npm run build,npm run test) and pushing code to remote branches (git push). - Sanitization: There is no evidence of sanitization or validation of the text retrieved from GitHub before it influences the agent's logic or code generation.
- [COMMAND_EXECUTION]: The skill performs extensive shell command execution using the
ghCLI,git, andnpm. While these commands are aligned with the skill's purpose (PR discovery and fixing), they provide the necessary primitives for an attacker to achieve code execution or data exfiltration if they successfully exploit the indirect prompt injection surface described above.
Audit Metadata