github-review-workflow
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data from GitHub pull request comments. These comments are stored locally and assigned to sub-tasks that utilize high-privilege tools such as 'Bash' and 'Write'. This environment is susceptible to indirect prompt injection where a malicious comment could attempt to influence the agent's behavior.
- Ingestion points: Comment data is fetched from the GitHub API using 'gh api' in 'scripts/export_github_review_comments.py'.
- Boundary markers: The exported files do not use explicit delimiters or instructions to ignore embedded commands within the comments.
- Capability inventory: The skill allows the use of 'Bash', 'Read', 'Write', 'Edit', 'Glob', 'Grep', and 'Agent' tools as defined in 'SKILL.md'.
- Sanitization: While 'scripts/comment_formatters.py' removes UI-related markdown blocks and metadata, it does not filter or sanitize natural language instructions from the comments.
- [COMMAND_EXECUTION]: The skill relies on local command execution via the GitHub CLI ('gh') and Python subprocesses to manage PR data. These operations are essential for the workflow but involve shell command execution.
- Evidence: 'scripts/github_review_utils.py' implements 'subprocess.run' for GitHub API interactions.
Audit Metadata