pull-request-review
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because Step 6 instructs the agent to follow setup instructions found in untrusted files (e.g., README.md, CONTRIBUTING.md) within the pull request branch. An attacker could place malicious commands in these files that the agent would then execute.
- Ingestion points: README.md, CONTRIBUTING.md, docs/ directory, DEVELOPMENT.md, and SETUP.md in the worktree of the PR branch.
- Boundary markers: Absent. The skill does not provide any delimiters or warnings to treat documentation as untrusted data.
- Capability inventory: The agent is authorized to install packages (npm, pip, yarn, bundle), run database migrations, build assets, and execute general shell commands.
- Sanitization: Absent. The skill explicitly directs the agent to follow the documented setup steps exactly.
- [COMMAND_EXECUTION]: The workflow relies on the execution of shell commands derived from untrusted external documentation provided in the pull request, which provides a direct path for malicious actors to execute code on the host system.
Audit Metadata