Skills
skills/xpepper/pr-review-agent-skill/pr-review-loop/Gen Agent Trust Hub

pr-review-loop

Pass

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [Indirect Prompt Injection] (LOW): The skill processes PR comments from GitHub, which are untrusted external inputs.
  • Ingestion points: Fetches PR comments via gh api in SKILL.md (Step 3).
  • Boundary markers: Absent; the agent is not instructed to ignore commands within the comments.
  • Capability inventory: Access to Bash for command execution, git push for repository modification, and gh API for GitHub interaction.
  • Sanitization: Absent; the agent implements changes based directly on comment text.
  • [Command Execution] (LOW): The skill executes 'safeguards' such as Makefile targets or test scripts found in the repository (Steps 1 and 5b). While necessary for its purpose, this executes code that could be malicious if the PR being reviewed is from an untrusted source.
  • [Command Execution] (LOW): Step 6 in SKILL.md uses a shell loop to iterate over thread_id values from the GitHub API. The interpolation of variables into shell commands is a risky pattern that could lead to command injection if the input source were compromised.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 18, 2026, 04:44 PM