Skills
skills/plurigrid/asi/github-code-review/Gen Agent Trust Hub

github-code-review

Fail

Audited by Gen Agent Trust Hub on Feb 25, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The example webhook-handler.js uses execSync to run shell commands constructed directly from unvalidated GitHub comment bodies (event.comment.body), which allows an attacker to execute arbitrary commands on the host by posting a crafted PR comment like /swarm ; malicous_command.
  • [REMOTE_CODE_EXECUTION]: The skill relies on npx ruv-swarm throughout its documentation and workflows. This fetches and executes code from the npm registry at runtime, creating a remote code execution vector.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. 1. Ingestion points: PR titles, bodies, and diffs are retrieved using gh pr view. 2. Boundary markers: No delimiters or ignore-embedded-instructions warnings are present in the scripts. 3. Capability inventory: The skill uses gh CLI to write comments, request changes, and modify labels, and uses execSync for command execution. 4. Sanitization: No validation or escaping is applied to the retrieved PR data before it is processed by the AI swarm.
  • [REMOTE_CODE_EXECUTION]: The register-agent functionality enables dynamic execution of code by loading and running JavaScript files from local paths provided as arguments (--file "./custom-review-agent.js").
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 25, 2026, 07:38 PM