pr-review
Warn
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a wide range of shell commands to interact with the environment, including
gh,glab,git,awk,sed,grep, andpython3. These commands are used to extract PR metadata, parse code diffs, and interact with repository APIs. - [DYNAMIC_EXECUTION]: In
modules/insight-generation.md, the skill executes Python code viapython3 -cusing shell variables like$FINDING_SUMMARYand$EVIDENCE. These variables contain content directly extracted from the PR being reviewed. Lack of sanitization before interpolation into the Python string literal creates a code injection vulnerability if the PR contains specially crafted characters. - [DATA_EXFILTRATION]: The skill is designed to transmit PR analysis findings to external destinations such as GitHub Discussions and the repository's issue tracker via the
insight-generation.mdandknowledge-capture.mdmodules. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from PR descriptions, commit messages, and code changes in
SKILL.md(Phase 1 and 2). - Ingestion points: PR metadata and diffs are fetched via
gh pr view,gh pr diff,glab mr view, andglab mr diff. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present when processing PR content.
- Capability inventory: The agent has the ability to execute shell commands, run Python scripts, write local files, and make network requests via the GitHub/GitLab APIs.
- Sanitization: There is no evidence of sanitization, escaping, or validation performed on the ingested PR data before it is processed or used in further commands.
Audit Metadata