sentry-pr-code-review
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) by design.
- Ingestion points: Fetches untrusted data from GitHub Pull Request comments using the
gh apicommand in SKILL.md. - Boundary markers: Absent; the skill parses content from specific Markdown tags (e.g.,
<summary>🤖 <b>Prompt for AI Agent</b></summary>) without sanitization or 'ignore embedded instructions' delimiters. - Capability inventory: The agent has the ability to read local files, modify/write local files ('Implement fix'), and execute the
ghCLI. - Sanitization: Absent; it treats the extracted 'Suggested Fix' and 'AI Prompt' as valid guidance for code modification.
- Risk: An attacker could post a PR comment using an account name starting with 'sentry' containing malicious instructions that lead the agent to delete code or inject backdoors.
- COMMAND_EXECUTION (LOW): Executes the
gh(GitHub CLI) tool to interact with remote repositories. This processes external data (owner, repo, PR number) which should be handled with care.
Audit Metadata