review
Warn
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [DATA_EXFILTRATION]: The skill explicitly directs the agent in Phase 1b to read sensitive configuration files such as
.env,.env.local, and.env.production. While this is intended to help the agent understand project conventions, it facilitates the exposure of environment secrets and credentials.\n- [COMMAND_EXECUTION]: The skill uses shell-based tools likegitandghand constructs commands using user-provided arguments such as PR numbers and branch names. This pattern creates a potential surface for command injection if the agent platform does not sanitize these inputs before execution.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from diffs and repository files as part of its primary review task.\n - Ingestion points: Data enters the context through
gh pr diff,git diff, and direct file reads as defined in Phase 1a.\n - Boundary markers: Absent. The skill instructions do not provide delimiters or instructions to ignore prompts embedded within the reviewed code.\n
- Capability inventory: The skill has
shell,filesystemRead, andfilesystemWritecapabilities.\n - Sanitization: No sanitization or validation of the ingested code content is specified in the instruction set.
Audit Metadata