Skills
skills/jacehwang/harness/address-reviews/Gen Agent Trust Hub

address-reviews

Pass

Audited by Gen Agent Trust Hub on Mar 3, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted data from GitHub PR comments and review bodies. \n
  • Ingestion points: Step 2 utilizes gh api to fetch the body field from PR reviews, inline comments, and issue comments, which are attacker-controllable inputs. \n
  • Boundary markers: The instructions do not provide delimiters or "ignore embedded instructions" warnings for the fetched content. \n
  • Capability inventory: The skill has access to the Bash tool (limited to git and gh), the Read tool, and the EnterPlanMode capability, allowing it to read code and propose changes based on the untrusted input. \n
  • Sanitization: No validation or sanitization of the comment bodies is performed before they are used in the planning phase. \n- [COMMAND_EXECUTION]: The skill uses the Bash tool for repository and PR interaction. While the commands are restricted to git and gh via an allow-list, the permission gh api:* is broad, granting the agent the ability to call any GitHub API endpoint authorized by the user's token.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 3, 2026, 12:24 PM