oh-review
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes standard system commands like
catto read local context and the GitHub CLI (gh) to interact with pull requests and issues. These operations are well-defined and align with the skill's stated purpose. - [DATA_EXFILTRATION]: Network activity is restricted to interacting with GitHub's official services via the authenticated
ghtool. The skill reads repository-specific metadata (PRs, issues, diffs) and does not attempt to access sensitive system files or credentials. - [PROMPT_INJECTION]: The skill processes untrusted external data (PR titles, descriptions, and code diffs), which presents a surface for indirect prompt injection.
- Ingestion points: PR metadata (
gh pr view), linked issues (gh issue view), and code diffs (gh pr diff) are ingested into the agent context. - Boundary markers: No explicit delimiters or instructions are provided to the agent to distinguish between untrusted PR data and the skill's logic.
- Capability inventory: The skill has the ability to write local temporary files and post comments to GitHub PRs via
gh pr review. - Sanitization: No explicit sanitization or filtering of external content is performed before it is processed by the agent.
- Note: This is an inherent risk for any automated code review tool and is considered acceptable within the intended workflow.
Audit Metadata