Skills
skills/aivokone/ak-skills/cli-review-fix/Gen Agent Trust Hub

cli-review-fix

Fail

Audited by Gen Agent Trust Hub on Mar 20, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/cli-review-detect.sh contains a command injection vulnerability. It uses the eval command on the output of a Python script that parses data from the GitHub CLI (gh pr view). Because the Python script does not escape the Pull Request title or branch names, an attacker can execute arbitrary shell commands on the user's system by crafting a Pull Request with a malicious title (e.g., `"; touch /tmp/pwned; #").
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from git diffs and Pull Request metadata to generate fixes. Malicious instructions embedded in the code changes or metadata could influence the agent to perform unauthorized actions or apply dangerous code changes. Evidence:
  • Ingestion points: scripts/cli-review-detect.sh (via gh pr view), scripts/cli-review-codex.sh (via git diff), and CLI tool outputs.
  • Boundary markers: Partial markers are used in the Codex review prompt, but instructions in references/review-prompt.md lack robust delimiters to separate instructions from untrusted diff data.
  • Capability inventory: File system modification (fixing code), shell command execution (including project-specific test suites), and network access via external CLI tools.
  • Sanitization: No sanitization or validation is performed on the diff content or PR metadata prior to evaluation by the LLM or execution in the shell.
  • [EXTERNAL_DOWNLOADS]: The skill provides instructions to download and install external CLI tools from official repositories of trusted organizations (OpenAI and Google Gemini).
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 20, 2026, 04:04 PM