github-pr
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill possesses an attack surface for indirect prompt injection as it ingests and processes untrusted external data.
- Ingestion points: The orchestrator reads repository content (
CLAUDE.md), pull request diffs, and previous pull request comments using theghtool (references/pr-review-orchestrator.md). - Boundary markers: The prompt lacks explicit delimiters or "ignore embedded instructions" warnings to isolate untrusted PR data from the agent's internal instructions.
- Capability inventory: The skill has the capability to write back to GitHub using
gh pr comment(SKILL.md). - Sanitization: No sanitization, escaping, or validation of the PR content is performed before interpolation into the prompts for the Sonnet and Haiku agents.
Audit Metadata