PR Review Integration
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Potential Shell Command Injection. The skill's workflow (SKILL.md, Step 5) and patterns (patterns.md) involve building shell commands like
gh pr comment <pr-number> --body "...". The content for the--bodyargument is derived directly from untrusted external sources like GitHub Pull Request descriptions and Linear issue requirements. If the agent executes these commands via a shell without rigorous escaping, an attacker could include malicious characters (e.g., backticks, semicolons) in a PR or issue to execute arbitrary shell commands on the host system. - [PROMPT_INJECTION] (LOW): Vulnerable to Indirect Prompt Injection. The skill processes data from attacker-controllable sources that could contain hidden instructions intended to manipulate the agent's behavior.
- Ingestion points: Data enters the context through
gh pr view(PR body, diff, and titles) andmcp_Linear_get_issue(issue descriptions and comments). - Boundary markers: Absent. The templates do not use XML tags, delimiters, or specific system instructions to isolate untrusted content from the agent's primary directives.
- Capability inventory: The skill has significant write capabilities, including posting comments to GitHub (
gh pr comment) and creating/updating issues in Linear (mcp_Linear_create_comment,mcp_Linear_update_issue). - Sanitization: Absent. There is no evidence of filtering or escaping logic applied to the external data before it is used for analysis or incorporated into final output commands.
Recommendations
- AI detected serious security threats
Audit Metadata