review-as
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): Indirect Prompt Injection vulnerability surface. The skill ingests untrusted data from external Pull Requests which could contain instructions designed to subvert the review process.\n
- Ingestion points: Untrusted data enters the agent context via
gh pr diff,gh pr view, andgit diffoutputs as described in Step 2 and Step 3 of SKILL.md.\n - Boundary markers: Absent. There are no instructions to the agent to treat the PR content as untrusted data or to use delimiters to prevent instruction leakage.\n
- Capability inventory: The skill's capabilities are limited to local command execution (
git,gh) to fetch data and generating a markdown-based review report. It lacks file-write, network-exfiltration, or sensitive data access capabilities.\n - Sanitization: No sanitization, escaping, or validation of the ingested PR content is performed before the analysis step.\n- COMMAND_EXECUTION (SAFE): The skill uses
gitandgh(GitHub CLI) to perform diffs and view metadata. These operations are standard for the intended primary purpose of code review and do not involve privilege escalation or suspicious execution patterns.
Audit Metadata