pr-review-workflow
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The core rules in
AGENTS.mdexplicitly permit the agent to usesudodirectly if elevated privileges are required for a task, which increases the potential impact of command-line operations. - [EXTERNAL_DOWNLOADS]: Both the
README.mdand the rule composition inAGENTS.mdrecommend the global installation of various CLI tools from the author's organization via npm, specificallycompose-agentsmd,@metyatech/task-tracker, and@metyatech/thread-inbox. - [REMOTE_CODE_EXECUTION]: The skill utilizes a dynamic rule-loading mechanism where
compose-agentsmdfetches and regenerates the agent's behavioral instructions (AGENTS.md) from a remote GitHub repository (github:metyatech/agent-rules@HEAD). This allows for the runtime modification of the agent's logic from an external source. - [PROMPT_INJECTION]: The skill processes untrusted external data in the form of PR review feedback, creating an indirect prompt injection surface.
- Ingestion points: PR review threads, comments, and GitHub notifications as specified in
SKILL.md. - Boundary markers: Absent; the skill does not provide instructions to use delimiters or to treat the feedback as untrusted data.
- Capability inventory: Mutative GitHub API calls (adding/removing reviewers, deleting notifications), git operations (merging, branch deletion), and
sudocommand execution. - Sanitization: Absent; there is no mention of validation, escaping, or filtering of the content retrieved from PR comments.
Audit Metadata