review-pr
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from GitHub pull requests, creating a surface for indirect prompt injection.
- Ingestion points: Pull request titles, bodies, and diffs are fetched via
gh pr viewandgh pr diffin SKILL.md. - Boundary markers: There are no delimiters or instructions used to prevent the agent from obeying commands embedded within the PR content.
- Capability inventory: The agent has permissions to execute shell commands (
git,gh,rg), access the filesystem, and modify PR metadata as seen in SKILL.md. - Sanitization: No sanitization or validation is performed on the content retrieved from GitHub before it is used to guide the agent's logic.
- [COMMAND_EXECUTION]: The skill constructs shell commands using variables derived from untrusted pull request data, which can lead to command injection.
- Evidence: The workflow uses keywords from PR titles directly in ripgrep commands:
rg -n "<keyword_from_pr_title>"in SKILL.md. - Evidence: Directory paths are created using the pull request identifier:
WORKTREE_DIR=".worktrees/pr-<PR>"in SKILL.md. - Risk: Maliciously crafted pull request titles or branch names containing shell metacharacters could trigger unintended command execution on the host system.
- [EXTERNAL_DOWNLOADS]: The skill fetches metadata and code from GitHub.
- Source: github.com via the
ghCLI andgitcommand. - Context: These operations target a well-known service (GitHub) and are necessary for the skill's primary function of reviewing code.
Audit Metadata