pr-reviewer
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill's installation or setup process involves downloading a shell script from an untrusted external repository and piping it directly to bash.
- Evidence:
curl -fsSL https://raw.githubusercontent.com/SpillwaveSolutions/skilz/main/install.sh | bash - Context: The source
SpillwaveSolutionsis not on the trusted organizations list. Piping remote content to a shell allows for arbitrary command execution on the host system without verification. - EXTERNAL_DOWNLOADS (HIGH): The skill fetches resources from a non-whitelisted GitHub repository during its operation.
- Evidence: Reference to
https://raw.githubusercontent.com/SpillwaveSolutions/skilz/. - Context: Downloading scripts or configuration from unknown third-party repositories poses a significant supply chain risk.
- INDIRECT_PROMPT_INJECTION (LOW): The skill is designed to ingest and process untrusted data from GitHub Pull Requests (diffs, comments, metadata) and has the capability to execute actions based on that data.
- Ingestion points:
references/gh_cli_guide.mddescribes usinggh pr view,gh pr diff, andgh apito read PR content. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the provided scripts.
- Capability inventory: The script
scripts/add_inline_comment.pycan write comments to GitHub using theghCLI. - Sanitization: While the script uses
json.dumpsto safely pass data to the CLI, it does not sanitize the logical content of the comments, which could be influenced by malicious instructions embedded in the PR being reviewed.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/SpillwaveSolutions/skilz/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata