pr-review-agent
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted external data to drive its decision-making logic.
- Ingestion points: Reads PR diffs, changed files, issue tracker comments, and handoff JSON blocks from previous agents (SKILL.md).
- Boundary markers: Utilizes the
<!-- OPEN-ORCHESTRA-HANDOFF -->delimiter to identify and parse structured JSON context. - Capability inventory: Performs issue tracker operations via MCP (status updates, tagging, commenting), posts PR comments, and invokes secondary agents (
implementation-agentandinit-architect) with dynamically generated payloads. - Sanitization: No explicit sanitization or instruction-filtering for content extracted from PR diffs or issue comments is described in the procedure.
- [COMMAND_EXECUTION]: The skill requires and interacts with an external 'issue tracker MCP' to perform ticket operations and status updates. These operations are restricted to the context of the resolved parent ticket and are conditional on the MCP's availability.
Audit Metadata