review-pr

The skill is purpose-aligned and uses official GitHub tooling, so it does not look malicious. However, it is high-risk as an agent skill because it reads attacker-controlled PR content, can execute repository code, and can autonomously take write actions on GitHub including approvals, comments, thread resolution, dismissals, and optional pushes. Overall classification: SUSPICIOUS due to prompt-injection and autonomy risk, not credential theft or covert exfiltration.