Skills
skills/charlietlamb/skills/pr-review-response/Gen Agent Trust Hub

pr-review-response

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill creates a direct bridge between untrusted external content and write-privileged capabilities.
  • Ingestion points: Data enters the system via gh api calls targeting PR comments, reviews, and issue comments (SKILL.md).
  • Boundary markers: None. The instructions do not use delimiters or provide warnings to the agent to treat the fetched text as data rather than instructions.
  • Capability inventory: The skill is authorized to read local files and use the 'Edit tool' to modify them. It is also tasked with 'adding tests', which involves further filesystem writes.
  • Sanitization: No validation or sanitization is mentioned; the skill is explicitly instructed to 'Apply requested changes' from the comments.
  • [Command Execution] (MEDIUM): The skill constructs shell commands using variables ({owner}, {repo}, {number}) derived from a user-provided URL. If the URL parsing logic is flawed, an attacker could potentially inject CLI arguments or manipulate the API paths used by the gh utility.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 07:48 AM