Skills
skills/jihunkim0/jk-skills/setup-optimize-code-action/Gen Agent Trust Hub

setup-optimize-code-action

Warn

Audited by Gen Agent Trust Hub on Mar 24, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill configures a GitHub Action workflow and an AI prompt that processes data from Pull Requests (titles, bodies, and code diffs). This creates an indirect prompt injection surface where a malicious contributor could craft a PR containing instructions designed to subvert the AI reviewer's logic, bypass its constraints, or manipulate the feedback posted to the repository.
  • Evidence:
  • Ingestion point: The workflow in .github/workflows/gemini-optimize-code.yml maps ISSUE_TITLE and ISSUE_BODY from the GitHub event to environment variables.
  • Capability inventory: The agent uses the github-mcp-server which grants pull_request_review_write and add_comment_to_pending_review capabilities.
  • Boundary markers: The .github/commands/gemini-optimize-code.toml file includes a 'Critical Security and Operational Constraints' section with 'Input Demarcation' rules to mitigate this, though these are not foolproof against sophisticated attacks.
  • Sanitization: No explicit sanitization or filtering of the PR content is performed before it is passed to the model.
  • [COMMAND_EXECUTION]: The generated prompt configuration file (.github/commands/gemini-optimize-code.toml) uses a dynamic shell execution syntax !{echo $VARIABLE} to interpolate environment variables into the agent's prompt. While the variables currently used (REPOSITORY, PULL_REQUEST_NUMBER) are generally safe, this pattern is inherently dangerous. If a user or an automated process were to map untrusted data (like a PR body) to an environment variable used in this way, it would lead to a command injection vulnerability in the CI/CD environment.
  • Evidence:
  • File: .github/commands/gemini-optimize-code.toml contains !{echo $REPOSITORY}, !{echo $PULL_REQUEST_NUMBER}, and !{echo $ADDITIONAL_CONTEXT}.
  • [EXTERNAL_DOWNLOADS]: The skill configures the use of the google-github-actions/run-gemini-cli@v0 action and the ghcr.io/github/github-mcp-server:v0.27.0 Docker container. These originate from well-known and official sources, posing no direct security threat in this context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 24, 2026, 11:54 PM