pr-review
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection attacks because its primary function is to ingest and analyze untrusted external data from GitHub Pull Requests.
- Ingestion points: The skill reads the PR title, body, and full code diff using
gh pr viewandgh pr diff(documented inSKILL.md). - Boundary markers: There are no explicit instructions or delimiters defined to help the agent distinguish between the skill's operational instructions and the potentially malicious instructions embedded within the code or PR description being reviewed.
- Capability inventory: The agent has the authority to perform actions back on the repository via
gh pr review, including posting comments, requesting changes, or approving the PR. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from the PR before it is processed by the agent's logic.
- [COMMAND_EXECUTION]: The skill relies on the
Bashtool to interact with the GitHub CLI (gh). While restricted to theghnamespace, the agent executes commands such asgh pr reviewusing content derived from its analysis, which could be manipulated via the aforementioned indirect prompt injection vector.
Audit Metadata