ah-review-code
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interpolates user-provided input directly into shell commands, which can lead to command or argument injection if the input is maliciously crafted.\n
- Evidence: In
SKILL.md, thePR_NUMBERvariable is extracted from user input and used in commands such asgh pr view ${PR_NUMBER}andgh pr checkout ${PR_NUMBER}without any validation or sanitization.\n- [COMMAND_EXECUTION]: The skill constructs file system paths using variables derived from external or user-provided sources, creating a risk of path traversal.\n - Evidence: The
REVIEW_FILEpath is constructed as${REVIEWS_DIR}/code-review-${REVIEW_ID}.md, whereREVIEW_IDincorporates the user-suppliedPR_NUMBER. A value like../../tmp/exploitcould result in files being written outside the intended directory.\n- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it retrieves untrusted code changes and processes them using multiple LLM-based sub-agents.\n - Ingestion points: The
DIFF_FILEcreated in Step 4 contains code diffs from remote Pull Requests or local branches, which are attacker-controlled data.\n - Boundary markers: The prompts provided to sub-agents do not include delimiters or instructions to ignore or treat the diff content as untrusted data.\n
- Capability inventory: The skill and its sub-agents have access to the local file system, the GitHub CLI, and the ability to invoke other functional skills.\n
- Sanitization: There is no logic to filter or sanitize the contents of the diff files before they are presented to the LLM sub-agents for analysis.
Audit Metadata