reviewing-code
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs and executes shell commands (e.g.,
gh pr view PR_NUMBER,git diff BASE_BRANCH) using variables derived from user-provided input or extracted from URLs. Without strict validation or sanitization of these variables (e.g., ensuring PR_NUMBER is an integer), the skill is vulnerable to command injection attacks. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted content from pull request descriptions, commit messages, and project-level configuration files (
CLAUDE.md,AGENTS.md). This constitutes an indirect prompt injection surface. - Ingestion points: Untrusted data enters the context through
gh pr view,gh pr diff,git diff, and by reading project files withcat. - Boundary markers: There are no defined delimiters or instructions provided to the agent to treat the ingested data as non-instructional content.
- Capability inventory: The skill uses
bashto executegit,gh, and custom CLI tools likegeminiandcodex, and has permissions to read and write to the filesystem (e.g., using/tmp/files). - Sanitization: No evidence of input validation, escaping, or content filtering is present in the instructions.
Audit Metadata