bonfire-review-pr
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill processes untrusted data (PR body and file contents) in Step 6. This content is passed to a subagent (
bonfire:work-reviewer) to generate findings. There are no boundary markers or explicit instructions to ignore embedded commands within the PR data, creating a significant risk of Indirect Prompt Injection. - [COMMAND_EXECUTION] (HIGH): Findings generated from the untrusted PR content are used in Step 9 to construct shell commands (
gh apiandgh pr comment). If an attacker successfully influences the subagent's output via a malicious PR description, they may be able to inject parameters or manipulate the behavior of the GitHub CLI tools. - [DATA_EXPOSURE] (MEDIUM): The skill creates an isolated worktree (
git worktree add) using code from an external PR. While intended for review, this places potentially malicious code onto the local file system. If the subagent or the user interacts with this code (e.g., via automated tests or build scripts not shown but common in PR workflows), it could lead to local compromise.
Recommendations
- AI detected serious security threats
Audit Metadata