Skills
skills/helderberto/skills/review-pr/Gen Agent Trust Hub

review-pr

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted external content from GitHub pull requests, which is a primary vector for indirect injection attacks.
  • Ingestion points: Untrusted data enters the agent context through gh pr view (capturing descriptions and comments) and gh pr diff (capturing code changes) as defined in SKILL.md.
  • Boundary markers: The instructions lack any requirement to use delimiters or 'ignore' blocks to separate system instructions from the PR content being analyzed.
  • Capability inventory: The skill uses the gh CLI for GitHub operations. If the environment's gh configuration has write permissions (common for PR bots), an attacker could craft a PR that instructs the agent to perform unauthorized actions such as merging code, deleting branches, or exfiltrating repository secrets.
  • Sanitization: There is no evidence of sanitization or filtering of the content retrieved from GitHub.
  • Command Execution (LOW): The skill legitimately uses the gh CLI to perform its stated tasks. While these are standard operations, the reliance on a subprocess-based CLI tool increases the impact of a successful injection attack.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 04:21 AM