attach-review-to-pr

================================================================================

✅ VERDICT: SAFE

This skill is a detailed guide for interacting with the GitHub API via the gh CLI tool and an MCP tool. It is well-documented, transparent, and does not exhibit any malicious behavior. The commands it instructs the agent to execute are explicitly whitelisted in the allowed-tools metadata, ensuring that the agent only performs intended GitHub operations.

Total Findings: 1

ℹ️ INFO Findings: • Indirect Prompt Injection Risk

• Line 1: The skill processes user-provided text for pull request comments. While the skill itself is not malicious, if a user provides malicious content within the comment body, it could potentially lead to indirect prompt injection for recipients of the comment or other AI systems processing the comments. This is an inherent risk of any tool that allows user-generated content.

================================================================================

Detailed Analysis:

1. Obfuscation: No obfuscation techniques (e.g., Base64, zero-width characters, homoglyphs, excessive encoding) were detected in the skill's content or metadata.

2. Prompt Injection: No patterns indicative of direct prompt injection (e.g., IMPORTANT: Ignore, role-play instructions, jailbreak attempts) were found.

3. Data Exfiltration: The skill primarily uses gh api to interact with api.github.com. This is a legitimate and expected interaction for a GitHub-related skill. No sensitive file paths (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) are accessed, and no network operations to untrusted or arbitrary external domains were identified.

4. Unverifiable Dependencies: The skill relies on the gh CLI being installed and authenticated as a prerequisite, which is a trusted tool from GitHub. It also references an MCP tool (mcp__github_inline_comment__create_inline_comment). The skill itself does not install or download any external, unverified dependencies.

5. Privilege Escalation: No commands or patterns (e.g., sudo, chmod +x, chmod 777, modifications to system files or services) that would attempt to escalate privileges were found.

6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying ~/.bashrc, crontab, authorized_keys, or systemd/LaunchAgent files) were detected.

7. Metadata Poisoning: The skill's metadata fields (name, description, argument-hint, allowed-tools) are clean and accurately reflect the skill's purpose without any hidden malicious instructions.

8. Indirect Prompt Injection: As noted in the INFO finding, the skill's function involves taking user input for pull request comments. While the skill itself is safe, the content provided by the user could be crafted to perform indirect prompt injection if processed by other AI systems or viewed by users susceptible to such attacks. This is a general risk for user-generated content and not a direct vulnerability of the skill's code.

9. Time-Delayed / Conditional Attacks: No conditional logic based on dates, usage counters, or environment variables that would trigger delayed or specific malicious behavior was found.

Allowed Tools Analysis: The allowed-tools explicitly permit Bash(gh api:*), Bash(gh auth:*), Bash(gh pr:*), and mcp__github_inline_comment__create_inline_comment. This whitelist ensures that the agent's command execution is confined to the trusted GitHub CLI and the specified MCP tool, aligning perfectly with the skill's stated purpose and preventing arbitrary command execution.