reviewing-pull-requests
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses local Python and Bash scripts (
scripts/pr-manager.pyandscripts/quality-gates.sh) to interact with the GitHub CLI (gh) andgit. These scripts utilize argument lists in subprocess calls, which is a secure practice that prevents shell injection vulnerabilities when processing untrusted pull request data such as branch names, titles, and descriptions.\n- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8) because its primary function is to ingest and analyze untrusted data.\n - Ingestion points: Untrusted data enters the agent context through PR titles, descriptions, and code diffs fetched via
gh pr viewandgh pr diffin the management scripts.\n - Boundary markers: The skill instructions do not specify any delimiters or safety prompts to ensure the agent ignores instructions that may be embedded within the PR content being reviewed.\n
- Capability inventory: The skill possesses the ability to create/edit pull requests, assign reviewers, and update project boards via the
ghtool.\n - Sanitization: While the scripts prevent shell-level injection, there is no natural language sanitization to filter or neutralize malicious instructions contained within the pull request data itself.
Audit Metadata