review-pr
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands using 'gh', 'git', 'rg', and 'jq' to interact with the repository. These commands are dynamically built using data from the Pull Request, creating a potential vector for command injection if inputs are not properly handled by the underlying shell environment.\n- [REMOTE_CODE_EXECUTION]: The skill includes a step to run local tests using 'cargo run -- hook pre-merge --yes' on the branch of the Pull Request being reviewed. This executes arbitrary code defined by the Pull Request author, which could result in malicious code execution on the agent's environment if the PR is from an untrusted source.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and interprets untrusted input from Pull Request diffs, descriptions, and comments without boundary markers or sanitization. Malicious instructions hidden in these fields could influence the agent's logic or lead to unauthorized code approvals and pushes.\n
- Ingestion points: Pull Request diff content ('gh pr diff'), PR metadata ('gh pr view'), and conversation comments (via GitHub API pulls/comments and issues/comments endpoints).\n
- Boundary markers: None. Untrusted text from the PR is processed as direct context for the review instructions without delimiters or 'ignore' warnings.\n
- Capability inventory: The agent has permissions to approve Pull Requests ('gh pr review --approve'), add reactions, post comments, and push code commits directly to the repository ('git push').\n
- Sanitization: None. Content is analyzed in its raw form as retrieved from the API.
Audit Metadata