pr-review
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill has a surface for Indirect Prompt Injection (Category 8) because it is designed to ingest and analyze untrusted data from external repository contributors.\n
- Ingestion points:
SKILL.md(Workflow Step 1 and 3) where the agent fetches PR metadata and diffs usinggh pr viewandgh pr diff.\n - Boundary markers: Absent. There are no instructions or delimiters provided to help the agent distinguish between code review data and its own system instructions.\n
- Capability inventory: The agent uses
ghandgitCLI commands to interact with the repository and fetch content.\n - Sanitization: Absent. The skill does not implement any logic to sanitize or filter the content of the PR before the agent processes it.\n- [COMMAND_EXECUTION] (LOW): The skill constructs shell commands (
gh,git) using an external<PR_URL>provided by the user. If the input is not properly handled or escaped by the agent, it could lead to command injection, although the risk is lower as the agent typically formats the command based on the provided template.
Audit Metadata