github-review-pr
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes untrusted content from GitHub Pull Requests to guide agent behavior.
- Ingestion points: The workflow reads PR descriptions via 'gh pr view', code diffs via 'gh pr diff', repository guidance files ('CLAUDE.md' and 'AGENTS.md'), and inline code comments, all of which are attacker-controllable.
- Boundary markers: Absent. There are no specified delimiters or 'ignore embedded instructions' warnings to prevent the agent from obeying commands found within the PR data.
- Capability inventory: The skill uses the 'gh' CLI tool to list PRs, view changes, post comments, and interact with the GitHub API ('gh api'), providing a broad surface for unauthorized actions if the agent is manipulated.
- Sanitization: Absent. The instructions do not include any steps for sanitizing, escaping, or validating the input data from the PR before it is passed to the specialized review subagents.
Audit Metadata