github-pr-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from GitHub PR diffs, descriptions, and comments via 'gh pr view' and 'gh pr diff' as seen in README.md and api-reference.md. It possesses high-privilege capabilities including approving PRs ('gh pr review --approve') and creating API comments (api-reference.md). There are no boundary markers or sanitization instructions provided to the agent to distinguish between the skill's logic and the potentially malicious instructions embedded in the PR content being reviewed.
- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes bash helper functions (README.md) that interpolate PR metadata, such as file paths and search patterns, directly into shell commands involving 'awk' and the 'gh' CLI. This creates a surface for command injection if an attacker crafts malicious file names or PR content that is processed by these local shell scripts.
Recommendations
- AI detected serious security threats
Audit Metadata