pr-reviewer
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill has a significant attack surface for indirect prompt injection from untrusted PR content.
- Ingestion points: Fetches PR diffs, comments, and review threads using
gh apiand GraphQL queries inSKILL.md. - Boundary markers: Absent; the agent is not instructed to use delimiters or treat the PR content as untrusted data.
- Capability inventory: The skill can write files (reports), and has the authority to commit and push code changes in 'Fix Mode'.
- Sanitization: Absent; the skill does not specify any validation or escaping for the data retrieved from the GitHub API.
- [COMMAND_EXECUTION] (LOW): The skill relies on the GitHub CLI (
gh) for its core operations. While this is the intended functionality, it involves executing commands with parameters derived from external PR metadata, which could be a vector if not handled securely by the underlying execution environment.
Audit Metadata