sentry-pr-code-review
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using the GitHub CLI (
gh) andjqto interact with repository data. - Evidence: Uses
gh apito fetch comments andgh pr listto identify active pull requests. - [DATA_EXPOSURE]: Accesses pull request comments and local source code files to perform its primary function of code review.
- Evidence: Phase 1 and 3 involve reading file contents and comment bodies to identify bug locations and descriptions.
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to parse and potentially act upon instructions contained within external GitHub comments.
- Ingestion points: Pull request comments fetched via the
gh apicommand in Phase 1. - Boundary markers: The skill relies on specific Markdown headers (e.g.,
Prompt for AI Agent) to delimit data, but lacks strict programmatic boundaries to prevent instruction leakage. - Capability inventory: The agent has the capability to read/write local files (Phase 3) and execute CLI commands (Phase 1).
- Sanitization: There is no evidence of input sanitization or validation of the fetched comment body before the agent processes the "Suggested Fix" or "AI Prompt" sections.
- Mitigation: The risk is significantly reduced by a hardcoded filter that only processes comments authored by the verified
seer-by-sentry[bot]account, preventing arbitrary users from injecting instructions.
Audit Metadata