Skills
skills/paulkinlan/co-do/agent-reviews/Gen Agent Trust Hub

agent-reviews

Warn

Audited by Gen Agent Trust Hub on Feb 28, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill retrieves GitHub authentication tokens by reading the .env.local file and executing the gh auth token command. While these actions are required for its primary purpose of interacting with the GitHub API, reading environment files containing secrets is a sensitive operation.\n- [PROMPT_INJECTION]: The skill processes untrusted data from GitHub PR comments, creating a vulnerability to indirect prompt injection.\n
  • Ingestion points: The scripts/comments.js script fetches reviewComments and issueComments from the GitHub API, which are untrusted inputs.\n
  • Boundary markers: No specific delimiters or "ignore instructions" warnings are used to wrap the untrusted comment content within the agent's context.\n
  • Capability inventory: The skill can perform git push and post replies to GitHub via the API, allowing it to potentially act on malicious instructions embedded in comments.\n
  • Sanitization: The cleanBody function removes bot-specific HTML and metadata for noise reduction but does not filter for adversarial natural language instructions.\n- [COMMAND_EXECUTION]: The script uses execSync to run git and gh commands (e.g., git remote get-url origin). These are used to determine local repository metadata and are not directly exposed to external user input.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 28, 2026, 11:35 PM