pr-review-response
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): Requires installation of the unverified third-party extension agynio/gh-pr-review via the gh extension install command. This repository is outside the trusted organizations list and poses a supply-chain risk.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill dynamically detects and executes test and format commands from the repository's configuration files (e.g., package.json scripts, Makefile). An attacker could submit a PR that modifies these files to execute malicious code when the agent runs the test or format phase.
- [COMMAND_EXECUTION] (MEDIUM): Extensive use of shell commands via the Bash tool to modify repository content and push changes to remote origins.
- [PROMPT_INJECTION] (LOW): Processes external PR comments using a sub-agent. Although it uses delimiters (<user_input>), it is susceptible to indirect prompt injection. Evidence: (1) Ingestion: Phase 1 comment fetch. (2) Boundaries: XML-like tags present. (3) Capabilities: Bash, Edit, Write, Push. (4) Sanitization: None.
Recommendations
- AI detected serious security threats
Audit Metadata