oh-notes
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes untrusted pull request comments.
- Ingestion points: Pull request comments and reviews are retrieved from GitHub using
gh pr viewand the GitHub API inSKILL.md. - Boundary markers: There are no explicit delimiters or instructions to the agent to treat the fetched comments as external, untrusted content.
- Capability inventory: The skill has the authority to perform file system modifications,
git pushoperations, and create GitHub issues and replies. - Sanitization: While
sg reviewis executed on staged changes, this tool is described as a code review utility rather than a security filter designed to detect or sanitize malicious instructions embedded in natural language comments. - [SAFE]: The skill communicates with GitHub, a well-known service, for repository management and feedback retrieval.
- [SAFE]: Command execution is limited to standard version control and CLI tools (
git,gh) used for their intended purpose in a development workflow.
Audit Metadata