reviewing-pr
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) as it ingests untrusted data from external sources and incorporates it into the agent's context.
- Ingestion points: The skill reads attacker-controlled content via
gh pr view,gh pr diff, andgh apiinSKILL.md(Step 1). - Boundary markers: Absent. The instructions do not define delimiters or provide specific warnings to the agent to ignore instructions contained within the PR diffs or existing comments.
- Capability inventory: The agent can execute shell commands (
git,gh), post PR reviews/comments, and modify PR metadata (labels). - Sanitization: The skill employs shell-safe quoted heredocs (
cat <<'EOF') when constructing comment bodies, which effectively prevents shell command injection but does not sanitize the natural language content against prompt injection. - COMMAND_EXECUTION (SAFE): The skill uses standard GitHub CLI (
gh) and Git commands necessary for its primary purpose of PR review. Commands are well-structured and avoid dynamic execution of untrusted strings in the shell environment.
Audit Metadata