review-pr
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of system commands and subprocesses, including
git,gh(GitHub CLI),glab(GitLab CLI), andjqto manage repository state and interact with remote platforms. - [DYNAMIC_EXECUTION]: The
common.shutility script usesevalwithin theload_kv_outputfunction to import variables generated by other scripts. Whileprintf %qis used to escape values, the use ofevalon dynamically constructed strings is a risky pattern. - [DYNAMIC_EXECUTION]: The
normalize_pathfunction incommon.shperforms runtime script generation and execution by passing a heredoc topython3for path normalization tasks. - [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from external sources and acts upon it.
- Ingestion points: Fetches pull request comments and discussion threads via
scripts/fetch_review_comments.sh; parses repository-level policy files (AGENTS.mdandCLAUDE.md) inscripts/repo_policy.sh. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands were found in the processing logic.
- Capability inventory: The skill possesses capabilities to modify local git state, manage worktrees, and post comments to remote APIs using
scripts/worktree_sync.shandscripts/post_review_comment.sh. - Sanitization: Employs
jqfor JSON data andprintf %qfor shell variable escaping, though repository policy parsing relies on regular expressions which may be bypassed. - [EXTERNAL_DOWNLOADS]: The skill interacts with well-known services (GitHub and GitLab) to fetch pull request metadata and comments. These operations use official CLI tools and require existing user authentication.
Audit Metadata