posting-review-summary
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted content from PR metadata which serves as a significant attack surface.
- Ingestion points: The skill explicitly reads and evaluates PR title, description, and test plans as described in the 'PR Metadata Assessment' section of
SKILL.md. - Boundary markers: Absent. There are no instructions or delimiters provided to isolate untrusted PR content from the agent's instructions, making it susceptible to 'ignore previous instructions' style attacks embedded in PR descriptions.
- Capability inventory: The skill can update external GitHub comments via
mcp__github_comment__update_claude_commentand perform local file writes toreview-summary.md. - Sanitization: Absent. No logic is provided to sanitize, escape, or validate the PR metadata before it is processed or included in the final output.
- Command Execution (LOW): While the skill defines routing logic, the execution is handled via specific MCP tools or standard file writes, which is typical for its purpose, but the lack of input validation on the content being written increases the risk profile.
Recommendations
- AI detected serious security threats
Audit Metadata