Skills
skills/tsukiyokai/vibe-review-skill/vibe-review/Gen Agent Trust Hub

vibe-review

Pass

Audited by Gen Agent Trust Hub on Apr 3, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because its primary workflow involves ingesting and analyzing untrusted data from external sources.
  • Ingestion points: The agent reads content from git diffs, PR descriptions (via gh api), and repository files (via Read and Grep) as specified in SKILL.md and pr-review.md.
  • Boundary markers: Absent. There are no instructions to wrap untrusted content in delimiters or to ignore potential instructions embedded within the code or PR comments being reviewed.
  • Capability inventory: The agent has access to powerful tools including Bash (for git and GitHub CLI operations), Read, and Grep.
  • Sanitization: No sanitization or validation of the ingested content is performed before processing.
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands through the Bash tool. Specifically, pr-review.md guides the agent to construct git clone and rm -rf commands using variables ({OWNER}, {REPO}) parsed from user-provided URLs. While the tools are scoped in the frontmatter, a failure in the agent's parsing logic could allow a malicious URL to influence the resulting command line.
  • [EXTERNAL_DOWNLOADS]: The pr-review.md process involves cloning external repositories to a temporary directory (/tmp/vibe-review-*). The skill fetches data from well-known platforms like GitHub, GitLab, and Gitee based on user input. This is a functional requirement for code review but involves downloading external content into the execution environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 3, 2026, 01:31 AM