resolve-ai-pr-reviews
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data from GitHub comments and uses that data to influence agent actions (code fixes).
- Ingestion points: Comments are fetched from GitHub PR and Issue APIs in Step 2 of
SKILL.mdusinggh apicalls. - Boundary markers: No boundary markers or specific "ignore embedded instructions" warnings are used when processing the comment bodies.
- Capability inventory: The skill allows the agent to modify local files (Step 4), execute GraphQL mutations to resolve threads (Step 5), and post PR comments (Step 6).
- Sanitization: The skill uses
jqto filter authors by regex (test("coderabbitai|gemini"; "i")). This reduces the attack surface but could be bypassed by accounts with similar names (e.g., "not-gemini") or if the trusted bot accounts are compromised. - Command Execution (SAFE): The skill uses the
gh(GitHub) CLI to interact with repositories. - Evidence: Shell blocks in Steps 2, 5, and 6 construct commands using variables like
$OWNER,$REPO, and$PR. - Context: These variables are sourced locally from the environment via
gh repo view, which is a trusted local context, significantly mitigating command injection risks.
Audit Metadata