Skills
skills/troykelly/codex-skills/review-gate/Gen Agent Trust Hub

review-gate

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION] (HIGH): Vulnerable to indirect prompt injection via untrusted external data.
  • Ingestion points: The skill fetches external content from GitHub issue comments using gh api "/repos/$REPO/issues/$ISSUE_NUMBER/comments" in SKILL.md.
  • Boundary markers: The logic relies on a easily spoofable HTML comment marker <!-- REVIEW:START -->. Any user with permission to comment on the issue can inject this marker and follow it with crafted text to satisfy the regex requirements.
  • Capability inventory: This skill acts as a PreToolUse gate for gh pr create. Successful injection allows an attacker to bypass mandatory code and security reviews, potentially leading to the introduction of malicious code into the repository.
  • Sanitization: There is no verification of the comment author's identity or the integrity of the review artifact. The skill uses basic grep patterns on raw strings, which are trivial to manipulate.
  • [COMMAND_EXECUTION] (LOW): While the skill executes shell commands (gh, git, grep), the variables containing external data (like $REVIEW_BODY) are double-quoted during execution, which prevents immediate shell command injection. However, the logic remains brittle and dependent on environment-specific grep flags (like -P).
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 05:41 AM