dev-review-pr
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from GitHub PRs (titles, descriptions, comments) and git diffs without boundary markers or sanitization, creating a surface for indirect prompt injection.
- Ingestion points:
SKILL.md(Phase 1, Mode A/B/C). - Boundary markers: Absent; untrusted content is not delimited from system instructions.
- Capability inventory: Executes
gitandghshell commands; reads local files. - Sanitization: No instructions provided to escape or filter untrusted external data.
- Mitigation: Use structural delimiters (e.g., XML tags or unique markers) to wrap external data and explicitly instruct the agent to ignore any instructions found within those sections.
- [COMMAND_EXECUTION]: Shell commands are constructed via string interpolation of variables (e.g.,
$PR_NUMBER,$COMMIT1) without explicit sanitization or validation logic, presenting a potential command injection risk if the agent receives malicious inputs for these variables. - Evidence:
SKILL.md(Phase 1:gh pr view $PR_NUMBERandgit diff $COMMIT1..$COMMIT2). - Mitigation: Explicitly instruct the agent to validate that input variables match expected formats (such as numeric values for PR numbers or hex strings for commit hashes) before use in shell commands.
Audit Metadata