pr-review
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill ingests external, untrusted data from pull request diffs and metadata which could contain malicious instructions. Ingestion points: Fetching diffs and PR metadata using git and gh commands in _review-core.md. Boundary markers: None present to isolate PR content from instructions. Capability inventory: Ability to execute shell commands and spawn sub-agents using the Agent tool in SKILL.md. Sanitization: No sanitization of the PR content is performed before processing.
- [COMMAND_EXECUTION]: Unsafe Shell Command Construction. The methodology in _review-core.md directs the agent to execute shell commands by interpolating variables like $ARGUMENTS, $BASE_REF, and $HEAD_REF directly into command strings. This pattern could lead to command injection if these variables are influenced by an attacker and not sanitized by the platform. Evidence: Usage of git diff and gh pr view with unsanitized environment variables in _review-core.md.
Audit Metadata