pull-request-review
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It fetches PR descriptions and comments using the GitHub CLI and processes them to generate implementation steps. Since PR content is user-generated and untrusted, an attacker could embed malicious instructions within a pull request or comment to manipulate the agent's behavior.
- Ingestion points: PR metadata and comments fetched via 'gh pr view' and 'gh api' in Step 1.
- Boundary markers: No delimiters or 'ignore' instructions are used to encapsulate the external PR data.
- Capability inventory: The skill has access to the 'Bash' tool, which allows for command execution based on the generated plan.
- Sanitization: No sanitization or validation of the PR comment content is performed.
- [COMMAND_EXECUTION]: The skill uses the 'Bash' tool to execute GitHub CLI commands. The direct use of '$ARGUMENTS' in a shell command ('gh pr view $ARGUMENTS') creates a potential for command injection if the input is not sanitized by the underlying framework. Additionally, the workflow involves running local project scripts like 'bun run lint', which could be compromised if the pull request being reviewed has modified them.
Audit Metadata