review-gate
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill makes security-critical gating decisions based on untrusted data from GitHub issue comments.
- Ingestion points: Comments are retrieved from the GitHub API using
gh api "/repos/$REPO/issues/$ISSUE_NUMBER/comments". These comments can be authored by any user with permission to comment on the issue. - Boundary markers: The logic relies on fragile markdown comment markers (
<!-- REVIEW:START -->) and specific status strings (e.g.,Review Status: COMPLETE) that are not cryptographically signed or verified. - Capability inventory: The results of the verification script are used to allow or block the
gh pr createtool via a pre-tool-use hook, creating a bypass vector for unauthorized code promotion. - Sanitization: Parsing is performed via simple string matching (
grep,contains). An attacker could easily inject these strings into a comment to deceive the parser into detecting a 'COMPLETE' status with '0' unaddressed findings even if no valid review occurred.
Audit Metadata