Skills
skills/chanmuzi/git-claw/review-reply/Gen Agent Trust Hub

review-reply

Pass

Audited by Gen Agent Trust Hub on Apr 25, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it fetches and processes review comments from GitHub PRs, which are untrusted external inputs.
  • Ingestion points: Untrusted data enters the agent context through multiple gh api calls in SKILL.md (Step 1) that fetch pull request comments, review summaries, and issue-level comments.
  • Boundary markers: The instructions do not define boundary markers to isolate the comment content or warn the agent to ignore any instructions embedded within the comments.
  • Capability inventory: Across all scripts, the skill has access to Bash(gh *), Bash(git *), Read, Grep, and Glob. It also performs code modifications via the Edit tool.
  • Sanitization: There is no evidence of sanitization, filtering, or validation of the comment body text before it is analyzed or used to generate responses.
  • [COMMAND_EXECUTION]: The skill constructs shell commands using data derived from external comments (e.g., {summary}, {comment_url}, and {reply_body}). When creating issues via gh issue create or posting replies via gh api, these variables are interpolated into command strings. If an attacker-controlled comment contains shell metacharacters or command substitution patterns, it may lead to unintended command execution when the agent processes the feedback.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 25, 2026, 06:31 AM