Skills
skills/testacode/llm-toolkit/pr-reviewer/Gen Agent Trust Hub

pr-reviewer

Pass

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection (Category 8). It retrieves and processes untrusted content from GitHub Pull Requests, including code diffs and user comments.
  • Ingestion points: Data is pulled from external repositories via gh pr diff and gh api .../comments (identified in SKILL.md).
  • Boundary markers: The skill does not define specific delimiters or "ignore instructions" markers to isolate untrusted PR content from its logic.
  • Capability inventory: The skill uses the Bash tool and has permissions to write to GitHub via the gh CLI.
  • Sanitization: No sanitization or validation steps are defined for the content retrieved from PRs before it is processed by the agent.
  • [COMMAND_EXECUTION]: The process steps in SKILL.md (Paso 4 and Paso 5) involve interpolating externally-sourced variables—such as file paths, author handles, and comment bodies—directly into shell command templates (e.g., gh pr comment {numero} --body "..."). This pattern introduces a risk of command injection if the agent fails to properly escape shell metacharacters present in the PR metadata.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 6, 2026, 11:53 AM