pr-review
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill generates bash scripts that include a
<number>placeholder (intended to be the PR number from$ARGUMENTS) directly in shell commands (e.g.,gh pr view <number>). If the input is not strictly validated by the agent, an attacker could provide a string containing shell metacharacters to execute arbitrary commands in the environment.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it analyzes content controlled by external users.\n - Ingestion points: The skill reads PR diffs, review comments, and conversation history using
gh pr diffandgh api.\n - Boundary markers: None. There are no delimiters or instructions to treat the ingested data as untrusted, meaning the LLM could follow instructions embedded within the PR itself.\n
- Capability inventory: The skill has powerful capabilities, including approving pull requests (
gh pr review --approve), resolving threads, and committing/pushing code (git push) to the repository.\n - Sanitization: The skill does not perform any sanitization or escaping of the ingested PR data before processing it.
Audit Metadata