review-pr
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the GitHub CLI (
gh) and local build tools (e.g.,pytest,npm,ruff) to retrieve PR data and validate code. These operations are strictly directed towards the repository being reviewed and are necessary for the skill's primary functionality. - [DATA_EXFILTRATION]: The skill reads pull request metadata, descriptions, and code diffs. This data is processed locally within the agent's context to generate review reports. No evidence of unauthorized data transmission to external or untrusted servers was found.
- [PROMPT_INJECTION]: The skill implements an attack surface for indirect prompt injection by processing untrusted PR content. However, it incorporates significant mitigations: sub-agents are explicitly instructed to limit their scope to changed files only, are directed to produce structured JSON output, and the workflow uses clear task boundaries and parallel agent isolation to prevent malicious code in the diff from influencing the master agent's instructions.
- Ingestion points: PR metadata and diffs retrieved via
gh pr viewandgh pr diffinSKILL.md. - Boundary markers: Prompts in
rules/agent-prompts-task-tool.mdinclude 'Scope: ONLY review the following changed files' and 'Do NOT explore beyond these files'. - Capability inventory: Subprocess calls (via
Bash), file access (Read,Write,Edit), and task management across all scripts. - Sanitization: Agents are required to return results in a strict JSON format, which acts as a structured communication barrier between specialized reviewers.
Audit Metadata