review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection (Category 8). The skill ingests untrusted external data which can influence its behavior.
- Ingestion points: Fetches data from external sources using
gh pr viewandgh issue view(Phase 1, Step 2). - Boundary markers: None. The skill does not use delimiters or instructions to ignore embedded commands within the fetched PR/Issue content.
- Capability inventory: Uses
ghCLI for network/API interaction and runs "available linting tools" (Phase 2, Step 3), which involves executing shell commands/binaries. - Sanitization: None. The skill directly processes and "reviews" the untrusted content.
- [COMMAND_EXECUTION] (HIGH): The skill invokes shell commands (
gh) and triggers the execution of linting tools based on "detected languages." If a linter is configured via a file in the repository (e.g., a malicious config file), it could lead to arbitrary code execution when the agent attempts to run it.
Recommendations
- AI detected serious security threats
Audit Metadata