review-pr
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data from the pull request changes and project-specific instruction files.
- Ingestion points: Content returned by
git diffand the text of project documentation files such asCLAUDE.md,AGENTS.md, andREADME.mdfound within the pull request scope. - Boundary markers: The instructions lack explicit delimiters or warnings to the sub-agents to ignore or isolate potential instructions embedded within the code or markdown content being reviewed.
- Capability inventory: The agent can execute shell commands (
git,gh), launch parallel LLM agents, modify pull request descriptions, and post inline comments to GitHub. - Sanitization: There is no evidence of sanitization or validation of the input data before it is processed by the specialized review agents.
- [COMMAND_EXECUTION]: The skill utilizes system commands including
git status,git diff, andgh api. While necessary for the skill's primary function, these tools provide a capability that could be manipulated if an attacker successfully influences the agent's behavior via injected instructions.
Audit Metadata