sentry-code-review
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It is explicitly instructed to parse a section titled 'Prompt for AI Agent' within GitHub Pull Request comments and follow the instructions therein to implement code fixes. If an attacker or a compromised bot provides a crafted comment, the agent could be manipulated into introducing vulnerabilities, backdoors, or performing unauthorized code modifications.
- Ingestion points: The skill ingests untrusted data from GitHub PR comments via the 'gh api repos/{owner}/{repo}/pulls/<PR_NUMBER>/comments' command.
- Boundary markers: While the skill expects a specific Markdown/HTML structure (e.g., details tags), it lacks explicit instructions to ignore or sanitize adversarial commands embedded within the 'Prompt for AI Agent' section.
- Capability inventory: Across its workflow, the skill relies on 'Read' and 'Edit' tools to view and modify the local repository's source code based on the parsed instructions.
- Sanitization: There is no mechanism for sanitizing or validating the content retrieved from the GitHub API before the agent adopts it as functional instructions.
- [COMMAND_EXECUTION]: The skill executes the 'gh' (GitHub CLI) tool to retrieve pull request metadata and comments. This is a legitimate operation used to fulfill the skill's primary purpose of code review automation.
Audit Metadata