review-pr
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (CRITICAL): The skill is critically vulnerable to indirect prompt injection via the PR body metadata.
- Ingestion points: The skill uses
gh pr viewto fetch the PR body (untrusted external data). - Boundary markers: No delimiters or isolation techniques are used to separate the PR content from the skill's logic.
- Capability inventory: The skill has access to full Bash execution,
gh api(write access), and branch modification capabilities. - Sanitization: None. The skill explicitly instructs the agent to extract and "Run each command or verification step listed in the test plan" found in the PR body.
- [REMOTE_CODE_EXECUTION] (CRITICAL): The design of the skill creates an unauthenticated remote code execution (RCE) vector. Any user capable of opening a PR against the target repository can execute arbitrary shell commands on the agent's runner by embedding them in the PR's test plan section.
- [COMMAND_EXECUTION] (HIGH): The skill uses high-privilege tools (GitHub CLI with write/merge permissions) and passes them parameters derived directly from untrusted PR content, facilitating privilege escalation and persistence if exploited.
Recommendations
- AI detected serious security threats
Audit Metadata