pr-triage
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from GitHub Pull Requests.
- Ingestion points: The skill reads PR titles, bodies, and code diffs via
gh pr viewandgh pr diffcommands as described in SKILL.md steps 1 and 3. - Boundary markers: Absent. There are no instructions or delimiters provided to the agent to distinguish between triage instructions and the untrusted PR content.
- Capability inventory: The skill executes local commands (
gh,git) and has the ability to write analysis results to the local filesystem (.pr-triage.json). - Sanitization: Absent. The skill does not perform any validation or escaping of the PR content before processing it.
- [COMMAND_EXECUTION]: The skill uses local system commands
gh(GitHub CLI) andgitto retrieve repository information and PR details. This is necessary for its stated purpose but constitutes a capability that could be targeted by injection.
Audit Metadata