pr-review-and-document
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill possesses an attack surface for indirect prompt injection because it processes untrusted data from external PRs.
- Ingestion points: Untrusted PR code and existing PR comments (Step 2 and Step 3 in SKILL.md).
- Boundary markers: Absent; the skill does not specify delimiters or instructions to ignore embedded commands within the PR data.
- Capability inventory: The skill can execute local bash scripts (Step 1, 2, and 5) and write/update comments on GitHub.
- Sanitization: Absent; the skill pipes generated content directly to a write script without validation of the source content's impact on the formatted output.
- [Command Execution] (SAFE): All bash executions are restricted to the local
${CLAUDE_PLUGIN_ROOT}/scripts/directory. No evidence of arbitrary command injection or shell escapes from user-controlled strings was found. - [Prompt Injection] (SAFE): The use of 'IMPORTANT' or 'Required' keywords in the markdown body serves as functional instructions to ensure the agent uses the correct model and agents for the review, rather than attempting to bypass the agent's core safety filters.
Audit Metadata