pr
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted external content and has capabilities that could be used for repository compromise.\n
- Ingestion points: Untrusted data is retrieved using
gh pr view,gh pr diff, andgh apiinreferences/review.md.\n - Boundary markers: Absent. There are no delimiters or instructions provided to the agent to ignore commands embedded in the fetched PR content.\n
- Capability inventory: The skill has the authority to approve PRs (
gh pr review --approve), comment on PRs, and perform git operations likegit pushandgit commit.\n - Sanitization: Absent. The content retrieved from GitHub is processed directly without validation or filtering.\n- Command Execution (LOW): The skill relies on the execution of
gitandghCLI commands to interact with the environment. While these are necessary for its functionality, they provide the mechanism through which an injection attack would be carried out.
Recommendations
- AI detected serious security threats
Audit Metadata