code-review-master
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The script is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Fetches external, attacker-controllable data including PR titles, descriptions (body), and code diffs from GitHub using the
ghCLI. - Boundary markers: The script uses Markdown code blocks (
```diff) and JSON string escaping (viajq), which provide structural separation but do not prevent an LLM from following instructions embedded within that data. - Capability inventory: The script executes local commands (
gh,jq) and writes to the console. If the agent using this skill has broader permissions (e.g., file-write or network access), the injected content could trigger those capabilities. - Sanitization: Employs
jqfor JSON formatting, but lacks sanitization for the content of PR metadata or diffs when outputting in Markdown or Plain text formats. - COMMAND_EXECUTION (SAFE): Shell variables (
$PR_NUMBER,$REPO,$OUTPUT_FORMAT) are consistently double-quoted, preventing standard shell word splitting and globbing attacks.
Audit Metadata