review-flow
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Command Execution (MEDIUM): The skill performs command interpolation using the user-provided argument in "gh wt co $1" without sanitization, creating a potential command injection surface.- Remote Code Execution (MEDIUM): The "Output" section specifies generating and running "Shell+Expect" scripts based on PR content. This allows a PR author to potentially execute arbitrary commands on the agent's system via indirect injection.- External Downloads (LOW): The process relies on external "subagents" (QA, deslop, fixci) which are not defined in the skill and represent unverifiable external dependencies.- Indirect Prompt Injection (LOW): \n
- Ingestion points: Pull request code and metadata ($1).\n
- Boundary markers: Absent.\n
- Capability inventory: GitHub CLI commands, file system navigation (~/ghq), and the ability to push code changes.\n
- Sanitization: None. The skill implicitly trusts the code and instructions found within the PR being reviewed.
Audit Metadata