code-reviewer
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to execute 'npm run preflight' after checking out a remote Pull Request using the GitHub CLI. Because the content of the pull request (including the package.json file where scripts are defined) is controlled by an external, potentially malicious author, this allows for arbitrary code execution on the host system.
- [COMMAND_EXECUTION]: The workflow relies on executing several shell commands ('git diff', 'git status', 'gh pr checkout', 'npm run preflight') on code that has not been reviewed or validated.
- [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection by ingesting and acting upon untrusted data from pull requests. * Ingestion points: The agent is instructed to read PR descriptions, comments, and code diffs as described in the workflow of 'SKILL.md'. * Boundary markers: There are no boundary markers or instructions to treat external data as untrusted or to ignore instructions embedded within the code. * Capability inventory: The agent has the capability to execute shell commands ('git', 'gh', 'npm'). * Sanitization: The skill does not include any steps to sanitize or validate the external input before it is analyzed or used to trigger script execution.
Recommendations
- AI detected serious security threats
Audit Metadata