Skills
skills/yonatangross/orchestkit/review-pr/Gen Agent Trust Hub

review-pr

Warn

Audited by Gen Agent Trust Hub on Feb 27, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill runs validation commands such as pytest, npm run test, and docker-compose on the code within the pull request as specified in references/validation-commands.md. If a pull request includes malicious test logic or script definitions in package.json or test files, the agent will execute this code on the local system during the review process.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves untrusted pull request data (titles, bodies, and code diffs) via the gh CLI and interpolates it directly into sub-agent prompts. 1. Ingestion points: PR metadata and file diffs fetched in Phase 1. 2. Boundary markers: Absent; external content is injected directly into prompt strings. 3. Capability inventory: Bash, Write, Edit, TaskCreate, and gh CLI (allowing for code modification and PR approval). 4. Sanitization: Absent.
  • [COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to run the GitHub CLI and various development tools. These commands are executed in the context of the repository being reviewed, creating a significant attack surface if the repository contents are untrusted.
  • [EXTERNAL_DOWNLOADS]: The use of package managers like npm and poetry, along with docker-compose, can trigger the download of external dependencies or container images from remote registries. These downloads are directed by configuration files found within the pull request, potentially leading to the ingestion of malicious packages.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 27, 2026, 04:28 PM