code-review
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) as it ingests untrusted external data.
- Ingestion points: The skill reads PR metadata, body, and contributor comments via
gh pr view. - Boundary markers: The instructions lack explicit delimiters or instructions to treat PR content as untrusted data, increasing the risk that the LLM might follow instructions embedded in a malicious PR.
- Capability inventory: The skill has access to the
Bashtool and can execute write operations on GitHub (gh pr review,gh issue comment), which could be abused to leak information or perform unauthorized actions if the agent is compromised by an injection. - Sanitization: No sanitization of the fetched content is specified before processing.
- Command Execution (LOW): The skill uses variables like
<PR>and<BODY>directly in shell commands. If the agent does not properly escape these values, it could lead to local command injection or argument injection via theghorrgtools.
Audit Metadata