pr-review
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from Pull Request descriptions, commit messages, and diffs to determine task context and verify requirements.
- Ingestion points: Pull Request body and commits are ingested via
gh pr view, and code changes are read throughgh pr diffin the Validation and Quick Start sections. - Boundary markers: There are no markers or delimiters used to isolate untrusted PR content from the agent's internal instructions.
- Capability inventory: The skill can execute GitHub API requests to post reviews and merge PRs, manage tasks via
kspec, and execute shell commands vianpm test. - Sanitization: No sanitization or validation is applied to PR trailers (e.g., 'Task:' or 'Spec:') or inline code annotations before they are used for logic branching.
- [COMMAND_EXECUTION]: The skill executes local commands that interact with the repository and external APIs.
- Evidence: The 'Regression Check' gate runs
npm test, which executes scripts defined in the PR branch's configuration, potentially allowing arbitrary code execution from untrusted code. - Evidence: The skill constructs and writes a JSON payload to
/tmp/pr-review-body.jsonand uses thegh apicommand to interact with the GitHub API.
Audit Metadata