code-review-playbook
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted data from GitHub pull requests, creating a surface for indirect prompt injection attacks.
- Ingestion points: Pull request titles, descriptions, diffs, and comments are fetched via the
ghCLI and Python scripts (e.g.,scripts/fetch-pr-data.sh,scripts/run-pr-checks.py). - Boundary markers: Absent; untrusted content is interpolated directly into the agent's context without clear delimiters or instructions to ignore embedded commands.
- Capability inventory: The agent has access to
Bash,Read,Grep,WebFetch, andWebSearchtools, which could be abused if an injection is successful. - Sanitization: No sanitization or validation of the fetched PR content is performed before presentation to the agent.
- [COMMAND_EXECUTION]: The skill uses dynamic context injection and instructs the agent to execute shell commands.
- Dynamic Context Injection: The file
scripts/review-pr.mduses the!commandsyntax to executeghandgitcommands (e.g.,!gh pr list,!git branch) at load time to populate context. - Argument Injection Surface: Instructions in
scripts/review-pr.mddirect the agent to executegh pr view $ARGUMENTS, where$ARGUMENTSis a user-supplied PR number. This could lead to shell command or argument injection if the agent does not properly sanitize the input before execution. - Linter Execution:
scripts/run-lint-check.shandscripts/run-pr-checks.pyexecute local binaries (ruff,eslint,biome) based on files detected in the project environment.
Audit Metadata