pr-writing-review
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests and analyzes untrusted data.
- Ingestion points: The script
scripts/extract_pr_reviews.pyfetches data (comments, code suggestions, and file evolution) from user-provided GitHub PR URLs. - Capability inventory: Extracted content is provided to the LLM for 'Pattern recognition', 'Paragraph comparison', and 'style lesson synthesis'.
- Boundary markers: The skill documentation does not mention the use of delimiters or specific boundary markers to isolate untrusted PR content from the agent's system instructions.
- Sanitization: There is no evidence of sanitization, filtering, or validation performed on the external content before it is processed by the AI.
- Risk: A malicious PR could contain instructions (e.g., in a code suggestion or feedback comment) designed to trick the agent into ignoring its constraints or performing unauthorized actions while the 'analysis' is being conducted.
Audit Metadata