code-review
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing untrusted data from pull requests.
- Ingestion points: Pull request diffs (via GitHub MCP tools), commit messages, and repository files referenced in SKILL.md.
- Boundary markers: Uses tags to wrap untrusted content in the sub-agent prompt, which provides a basic but bypassable delimiter.
- Capability inventory: The skill utilizes git CLI tools and GitHub MCP tools for broad read access to repository contents and pull request metadata.
- Sanitization: There is no evidence of sanitization or filtering applied to the diff content or PR descriptions before they are interpolated into the instructions for the code-reviewer agent.
- [COMMAND_EXECUTION]: The skill instructs the agent to execute various git commands using parameters derived from user input or PR metadata.
- Evidence: Workflow steps in SKILL.md include executing git diff ... and git show , which utilize branch and commit identifiers that could be manipulated to execute unintended git operations.
Audit Metadata