github-pr-reviewer
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill identifies and executes shell commands defined within the target repository's configuration files (e.g., package.json scripts, Makefile targets, pyproject.toml) during Phase 4. If a malicious contributor submits a pull request that alters these files to include destructive commands, the agent will execute them in the local environment when attempting to run lints or tests.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes untrusted data from multiple external sources.
- Ingestion points: Pull request titles, bodies, code diffs, discussion comments, and linked issue content are fetched and analyzed in Phase 1 and Phase 3.
- Boundary markers: Absent. The instructions do not define delimiters or specific isolation protocols to distinguish between the agent's core instructions and the untrusted data being reviewed.
- Capability inventory: The agent possesses the ability to execute shell commands via GitHub and Git CLIs, read local files, and run repository-defined scripts (Phases 0, 1, 4, and 6).
- Sanitization: Absent. No sanitization or escaping is performed on the data retrieved from the PR before it is used to influence the AI's logic during the code analysis phase.
Audit Metadata