Skills
skills/xpepper/pr-review-agent-skill/copilot-review-loop/Gen Agent Trust Hub

copilot-review-loop

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (HIGH): The skill's 'Pre-flight' step involves discovering and running 'safeguards' from files like Makefile and .github/workflows/. If a malicious PR or repository includes dangerous commands in these files, the agent will execute them with the user's local privileges. Evidence: 'Identify all required safeguards... Run all of them' in SKILL.md.
  • [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection. 1. Ingestion points: PR comments (copilot bot), repository files (Makefile, CLAUDE.md). 2. Boundary markers: Absent. 3. Capability inventory: Bash, git, gh. 4. Sanitization: Absent. An attacker can use PR comments to trick the agent into executing malicious 'fixes' or safeguards.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): Recommends the installation of ChrisCarini/gh-copilot-review and is itself hosted at xpepper/pr-review-agent-skill. Neither source is in the trusted organization list, posing a supply-chain risk.
  • [COMMAND_EXECUTION] (HIGH): The skill executes git push and gh api calls. Combined with the ingestion of external data from PR comments, this creates a path for an attacker to push malicious code to the repository or manipulate GitHub resources.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 01:16 PM