review-pr
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONNO_CODE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local scripts (
scripts/pr,scripts/pr-review) using user-supplied PR identifiers as arguments. - [COMMAND_EXECUTION]: It uses the
sourcecommand to load.local/review-context.env. If the content of this file is derived from untrusted PR metadata (e.g., branch names or titles) without proper sanitization, it could lead to arbitrary command execution in the shell. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes untrusted data from GitHub PR descriptions and code diffs.
- Ingestion points: PR metadata and content are ingested via
gh pr diffandgit diffcommands. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore or isolate instructions embedded within the PR content.
- Capability inventory: The agent has the ability to execute local scripts, source environment files, and interact with the GitHub API to modify assignees.
- Sanitization: There is no evidence of sanitization or validation of the PR content before it is processed or used in shell operations.
- [NO_CODE]: The core logic of the skill resides in external scripts (
scripts/pr,scripts/pr-review) that are not included in the provided file set, making the primary execution flow unverifiable.
Audit Metadata