github-code-review
Fail
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The provided webhook handler example in SKILL.md uses execSync to execute shell commands that incorporate the command variable directly from a GitHub comment. This pattern is vulnerable to shell command injection, allowing an attacker to execute arbitrary code on the host system by submitting a crafted pull request comment.- [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection because it reads and processes untrusted pull request content.
- Ingestion points: PR metadata (title, body) and code diffs are ingested using gh pr view and gh pr diff.
- Boundary markers: There are no explicit delimiters or instructions provided to the agents to ignore potential instructions embedded within the PR data.
- Capability inventory: The skill can perform sensitive actions including gh pr review --approve, gh pr review --request-changes, and gh pr comment.
- Sanitization: No evidence of sanitization or escaping of the PR content is found before it is passed into the agent swarm.- [EXTERNAL_DOWNLOADS]: The skill documentation utilizes npx to fetch and execute the ruv-swarm package. This is a vendor-owned resource (ruvnet) and represents standard functionality for this skill's ecosystem.
Recommendations
- AI detected serious security threats
Audit Metadata