github-pr-manager
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed to ingest untrusted data from external sources, specifically Pull Request metadata (titles, bodies) and code diffs via tools like
gh pr viewandgh pr list. - Ingestion points: SKILL.md examples show usage of
gh pr viewandgh pr listwhich fetch PR content into the agent's context. - Boundary markers: None identified. The instructions do not specify the use of delimiters or warnings to ignore instructions embedded in the PR data.
- Capability inventory: The skill has significant capabilities including executing shell commands (
Bash), managing files, and performing GitHub write operations (merging, approving). - Sanitization: There is no evidence of sanitization or validation of the fetched PR content before it is processed or used in subsequent commands.
- [Command Execution] (LOW): The skill relies on the execution of shell commands such as
gh,git, andnpm. While these are necessary for the skill's primary purpose, they provide a powerful primitive that could be abused if an attacker influences the agent's logic through a malicious PR. - [Remote Code Execution Surface] (LOW): The skill's 'Batch PR Operations' and 'Hooks' sections demonstrate the execution of
npm testandnpm run build. If an attacker-controlled Pull Request modifies thescriptssection of apackage.jsonfile, the agent may inadvertently execute malicious code during the automated testing or validation phase.
Audit Metadata