resolve-pr-parallel
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It retrieves PR comments via scripts/get-pr-comments and automatically spawns sub-agents to implement instructions found within those comments.
- Ingestion points: PR comment bodies are fetched from the GitHub API in scripts/get-pr-comments and passed directly to sub-agents as task instructions in SKILL.md.
- Boundary markers: None identified; untrusted comment text is not delimited or explicitly labeled as external data.
- Capability inventory: The skill and its sub-agents have access to gh, git, and bash, which allow for code modifications, committing changes, and interacting with the repository.
- Sanitization: No sanitization, escaping, or filtering of external comment text is performed before it is interpolated into agent tasks.
- [COMMAND_EXECUTION]: The skill executes local bash scripts and GitHub CLI commands to interact with PR metadata and the git filesystem.
- Evidence: The workflow calls scripts/get-pr-comments and scripts/resolve-pr-thread, and uses tools like gh and git as defined in the allowed-tools section.
- Context: These operations are required for the primary function of resolving PR comments and are not considered dangerous in this context.
Audit Metadata