review-pr
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill ingests untrusted data from external sources (GitHub PR descriptions and diffs) which could contain malicious instructions designed to subvert the agent's logic.
- Ingestion points: Pull request descriptions and code diffs retrieved via
gh pr diffandscripts/pr. - Boundary markers: No explicit delimiters or instructions are provided to the agent to distinguish between PR data and operational instructions.
- Capability inventory: The skill possesses the ability to execute local scripts (
scripts/pr,scripts/pr-review), search files (rg), and perform GitHub API operations (gh). - Sanitization: There is no evidence of sanitization or validation of the PR content before it is processed by the agent.
- [COMMAND_EXECUTION]: Local Script and Tool Execution. The skill relies on several local wrapper scripts and system binaries to perform its tasks. While these appear to be intended vendor resources, they represent the primary execution vector.
- Evidence: Use of
scripts/pr,scripts/pr-review,git,rg, andghCLI. - Context: The skill also sources environment variables from
.local/review-context.env, which is a dynamic execution pattern used to maintain state between steps.
Audit Metadata