review
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes untrusted pull request comments and review summaries from external contributors.
- Ingestion points: Pull request comments and review bodies are fetched from the GitHub API using
gh apiinSKILL.md(Step 1). - Boundary markers: The skill does not define clear delimiters or instructions to the agent to treat fetched comment content as untrusted data or to ignore embedded commands.
- Capability inventory: The skill possesses the ability to execute shell commands (
gh), read local source files, modify files using theEdittool, and post content back to GitHub. - Sanitization: There is no evidence of sanitization, filtering, or escaping of the fetched GitHub comment strings before they are presented to the agent for evaluation.
- [COMMAND_EXECUTION]: The skill relies on the GitHub CLI (
gh) to perform its primary functions, including querying pull request status and posting replies. While these are necessary for the skill's purpose, they provide a vector for command-line interaction that could be leveraged if the agent's logic is subverted by malicious input.
Audit Metadata