code-reviewer
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill instructs the agent to run 'npm run preflight'. Because this command executes scripts defined in the project's 'package.json', a malicious Pull Request could include a script that performs unauthorized actions (such as data exfiltration or persistence) when the preflight command is triggered. While this is part of the code review process, it executes before the analysis is complete.
- REMOTE_CODE_EXECUTION (MEDIUM): The workflow involves downloading remote code via 'gh pr checkout' followed by immediate execution of local scripts. This sequence creates a path for remote code execution if the Pull Request source is untrusted.
- PROMPT_INJECTION (LOW): The skill processes untrusted data from PR descriptions, comments, and code changes without explicit delimiters or instructions to ignore embedded commands. This creates a surface for Indirect Prompt Injection.
- Ingestion points: 'gh pr checkout' (pulls remote code), 'git diff' (reads local changes), and PR descriptions/comments.
- Boundary markers: Absent. There are no markers to separate untrusted code/comments from the agent's instructions.
- Capability inventory: 'npm run preflight' (subprocess execution) and 'git' (filesystem access).
- Sanitization: Absent. External content is interpolated directly into the agent's context.
Audit Metadata