review-github-pr
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's primary workflow involves executing shell commands to interact with GitHub (gh) and run project-specific validation tasks.
- Evidence: Phase 1 instructions tell the agent to "Run the project's lint + type-check command. Check CLAUDE.md for the correct validation command".
- [REMOTE_CODE_EXECUTION]: The skill allows cloning and processing remote repositories, which combined with the execution of commands found in those repositories, creates a remote code execution vector.
- Evidence: Mode 2 allows users to provide a GitHub PR URL, which the skill clones to /tmp and then performs Phase 1 (automated command execution from the cloned content).
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes content from external repositories (PR descriptions, code, and project documentation) without sanitization or boundary markers.
- Ingestion points: Project file
CLAUDE.md, PR diffs, PR titles, descriptions, and author metadata. - Boundary markers: Absent. The skill passes untrusted PR content directly to parallel agents without explicit delimiters or instructions to ignore embedded commands.
- Capability inventory: Shell command execution (via
ghandCLAUDE.mdstrings), file system navigation, and network operations (viaghCLI). - Sanitization: None. The skill does not validate or sanitize the command string retrieved from
CLAUDE.mdbefore execution.
Audit Metadata