async-pr-review
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Dynamic Code Generation and Execution: The skill employs a headless LLM to analyze Pull Request diffs and instructs it to physically exercise the code by writing and running temporary scripts. This process executes code derived from untrusted external input without explicit user confirmation for the generated actions.
- Evidence: In scripts/async-review.sh (lines 123-124), the prompt directs the LLM to physically exercise the newly changed code in the terminal and states "Do not ask for user confirmation."
- Indirect Prompt Injection Surface: The skill processes external data from Pull Requests which is then passed to an LLM with shell execution capabilities. This creates a surface where a malicious PR could attempt to influence the LLM's behavior via embedded instructions.
- Ingestion points: The skill fetches untrusted data using gh pr diff and gh pr checks in scripts/async-review.sh.
- Boundary markers: The prompt provided to the LLM does not use specific delimiters to isolate the PR diff from the instructions.
- Capability inventory: The agent has access to run_shell_command and is directed to use it for code exercise.
- Sanitization: There is no evidence of sanitization or filtering applied to the PR content before analysis.
- Automated Development Workflows: The scripts automate significant repository operations including git worktree management and dependency installation which are necessary for the review process.
- Evidence: scripts/async-review.sh performs operations such as git worktree add, npm ci, and npm run build.
- System Notifications: The skill uses system-level commands to provide user feedback through terminal escape sequences and macOS notifications.
- Evidence: The notify function in scripts/async-review.sh (lines 11-13) utilizes osascript for macOS notifications.
Audit Metadata