pr-review
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it analyzes untrusted data from pull requests.\n
- Ingestion points: PR metadata and code diffs are ingested via
gh pr viewandgh pr diff.\n - Boundary markers: No delimiters or "ignore embedded instructions" warnings are present for the ingested PR content.\n
- Capability inventory: The agent can execute shell commands (
gh,grep) and interact with the PR status, creating a risk if the agent is manipulated into performing unintended actions.\n - Sanitization: No sanitization or validation of the PR content is performed.\n- [COMMAND_EXECUTION]: The skill uses the
Bashtool to run GitHub CLI (gh) commands for fetching PR data, checking CI status, and viewing diffs. These tools are used legitimately to fulfill the skill's purpose.\n- [CREDENTIALS_UNSAFE]: The skill features a built-in check to identify potential hardcoded secrets in the PR diff usinggrep. This is a security-positive feature designed to prevent credential leaks in the repository.
Audit Metadata