review-pr
Warn
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes several local shell scripts (e.g.,
scripts/pr-review,scripts/pr) that take a user-provided<PR>variable. If the input is not strictly validated, it could lead to command injection. Furthermore, the skill uses thesourcecommand to load.local/review-context.env. This pattern executes the content of the file in the current shell environment, which is dangerous if the file is populated with unsanitized data from external PR metadata.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from GitHub PR descriptions and diffs.\n - Ingestion points: PR descriptions and diff data retrieved via
gh pr diff <PR>.\n - Boundary markers: No delimiters or isolation instructions are present to prevent the agent from following instructions embedded in the PR data.\n
- Capability inventory: The agent has the ability to execute shell scripts, use the GitHub CLI to modify PR state (assigning users), and write to the local filesystem.\n
- Sanitization: There is no evidence of sanitization or validation of the external content before it is used by the agent.
Audit Metadata