workflows-review
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: Utilizes the GitHub CLI (gh) and Git for repository management, including automated PR checkouts and the creation of isolated worktrees for code inspection.
- [DATA_EXFILTRATION]: Retrieves pull request metadata, including titles, descriptions, and file contents, which are processed locally to facilitate code reviews.
- [REMOTE_CODE_EXECUTION]: Dynamically orchestrates multiple specialized sub-agents (e.g., security-sentinel, performance-oracle) using the Task tool to perform parallel analysis based on local configuration files.
- [PROMPT_INJECTION]: Identifies an indirect prompt injection surface as pull request data (untrusted external input) is passed to reviewer agents without explicit boundary markers.
- Ingestion points: Pull request metadata and file contents retrieved from the GitHub API via the gh CLI.
- Boundary markers: Absent; the skill passes PR content directly to parallel sub-tasks.
- Capability inventory: Includes write access to the local filesystem for todo management, GitHub CLI repository access, and agent spawning capabilities.
- Sanitization: No explicit input sanitization or escaping is performed on the ingested PR data before it is processed by LLM sub-agents.
Audit Metadata