review
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8) by ingesting untrusted external data and passing it to multiple downstream agents.
- Ingestion points: External data enters the context via
gh pr view(PR titles, bodies, and file contents) and theprd.jsonfile. - Boundary markers: Although a
<review_target>tag is utilized for the target identifier, the actual content passed to agents (e.g., in the taskReview these changed files for security vulnerabilities: <changed_files>) lacks explicit delimiters or instructions to ignore embedded commands within the reviewed code. - Capability inventory: The skill possesses significant capabilities, including shell command execution (
find,sed,grep,gh,git), file system writes (creating todo markdown files and updatingprd.json), and the ability to trigger specialized agents. - Sanitization: No evidence of sanitization or validation of the ingested PR content is present before it is interpolated into agent tasks.
Audit Metadata