review
Warn
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands (e.g.,
gh pr view $ARGUMENTS) using un-sanitized user input. This enables command injection where a user could append malicious commands using shell metacharacters like;,&&, or|to execute unauthorized code.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection from untrusted source code and pull request data because it processes external content without isolation or validation.\n - Ingestion points: Untrusted data enters the agent's context via the
gh pr viewcommand (fetching PR bodies and file contents) and theReadtool (fetching file data).\n - Boundary markers: The prompt does not use delimiters or explicit instructions for the agent to ignore embedded commands within the data being reviewed.\n
- Capability inventory: The skill is granted access to the
Bashtool, providing a powerful vector for exploitation if the agent follows instructions hidden in the PR or code.\n - Sanitization: No sanitization or verification of the external content is performed before the agent analyzes it.
Audit Metadata