github-code-review
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill utilizes
npx ruv-swarmto perform code analysis. This package is not part of the trusted organization list and is executed dynamically from the npm registry without version pinning in the shell examples. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from GitHub Pull Requests (titles, bodies, and code diffs) and passes them to an AI swarm. An attacker could embed instructions in a PR to trick the agent into approving malicious code or performing unintended actions.
- Ingestion points: Fetches untrusted data via
gh pr viewandgh pr diffas seen in multiple usage examples inSKILL.md. - Boundary markers: Absent. Data is passed directly to the
npxcommand via variables like$PR_DATAand$PR_DIFFwithout delimiters or 'ignore' instructions. - Capability inventory: Possesses the capability to approve pull requests (
gh pr review --approve), request changes, and post arbitrary comments via the GitHub API. - Sanitization: No sanitization or escaping of external content is present before interpolation into commands or AI context.
- [COMMAND_EXECUTION] (LOW): The skill heavily relies on executing shell commands to interact with the GitHub CLI. While standard for this use case, the execution of these commands with data derived from untrusted pull requests increases the risk of argument injection if the underlying processing tools do not handle inputs safely.
Audit Metadata