github-code-review
Fail
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The example
webhook-handler.jsscript usesexecSyncto run shell commands constructed directly from theevent.comment.bodystring. This creates a critical command injection vulnerability where an attacker can execute arbitrary code on the host system by posting a pull request comment containing shell metacharacters (e.g.,/swarm ; rm -rf / ;). - [REMOTE_CODE_EXECUTION]: By combining the webhook listener with unsanitized
execSynccalls, the skill allows for remote code execution triggered by external GitHub events. This enables unauthorized users with pull request access to run arbitrary scripts on the server running the swarm orchestration. - [PROMPT_INJECTION]: The skill has a high exposure to indirect prompt injection (Category 8).
- Ingestion points: Data is ingested from GitHub pull request titles, bodies, diffs, and comments using
gh pr viewand webhook event payloads. - Boundary markers: The skill lacks delimiters or explicit instructions to the AI agents to ignore embedded commands within the ingested PR data.
- Capability inventory: The skill possesses extensive capabilities including code modification, pull request approval/merging, and command execution via the
ghCLI andruv-swarmtools. - Sanitization: No input validation or escaping is present for the data retrieved from GitHub before it is processed by the AI agents or passed to system-level commands.
- [EXTERNAL_DOWNLOADS]: The skill relies on
npxto executeruv-swarm, which is a tool provided by the author (ruvnet), and utilizes the GitHub CLI (gh). These external dependencies are required for the skill's primary function and are documented vendor resources.
Recommendations
- AI detected serious security threats
Audit Metadata