review-pr
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it is designed to ingest and analyze untrusted data provided by external contributors in GitHub pull requests.
- Ingestion points: Untrusted content enters the agent's context through pull request descriptions, commit messages, and review comments retrieved via the GitHub CLI and API (referenced in 'references/review-workflow.md').
- Boundary markers: The skill does not provide instructions for the agent to use delimiters or specific safety markers to isolate and ignore potentially malicious instructions embedded within the PR content.
- Capability inventory: The skill utilizes the
ghCLI for API interactions,gitfor repository management, and suggests local execution of build and test commands. - Sanitization: The workflow does not include explicit instructions for the agent to sanitize or escape untrusted content before processing it.
- [REMOTE_CODE_EXECUTION]: The workflow defined in 'references/review-workflow.md' includes a 'Local Checkout Workflow' that suggests checking out the PR branch and executing local commands such as
npm test,pytest,go test, ornpm run build. Since these commands execute code directly from the pull request—which may be authored by an untrusted external party—this represents a potential vector for remote code execution if the agent is operating in a non-sandboxed local environment.
Audit Metadata