Skills
skills/bmad-code-org/bmad-utility-skills/bmad-os-review-pr/Gen Agent Trust Hub

bmad-os-review-pr

Pass

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes multiple shell commands using git and gh (GitHub CLI), including git status, gh pr checkout, gh pr view, gh pr diff, and gh pr comment. These commands modify the local environment by checking out code from remote branches and interact with the GitHub API to post comments.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted code changes from pull requests to generate reviews, creating an attack surface where an attacker could embed malicious instructions in the PR diff.
  • Ingestion points: Untrusted data enters the agent context via gh pr diff, which is then passed as context to the adversarial and edge-case review subagents in steps 1.1 and 1.2.
  • Boundary markers: The prompt instructions for subagents do not specify explicit delimiters (like XML tags or unique markers) to separate the system instructions from the untrusted PR content.
  • Capability inventory: The agent has the capability to write local files, checkout external code branches (gh pr checkout), and post comments to external repositories (gh pr comment).
  • Sanitization: The skill implements a "Tone Transformation" step in section 2.0 to neutralize inflammatory language, but this does not validate or sanitize the technical content extracted from the PR diff against injection attacks.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 30, 2026, 06:17 PM