pr-review-toolkit
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Vulnerability to indirect prompt injection. The skill processes untrusted pull request data (code, comments, tests) which can contain malicious instructions intended to manipulate the agent's behavior.\n
- Ingestion points: The
review-prcommand inreferences/commands/review-pr.mdingests data viagit diffandgh pr view. Individual agents likecomment-analyzer.mdandcode-reviewer.mdalso process file content.\n - Boundary markers: The system prompts for the agents do not include explicit instructions to disregard or isolate embedded commands within the code being reviewed.\n
- Capability inventory: The skill has access to the
Bashtool, file read operations, and the ability to spawn sub-tasks via theTasktool.\n - Sanitization: There is no evidence of input validation or sanitization for the code or comments being analyzed.\n- [PROMPT_INJECTION]: Deceptive metadata in
SKILL.md. The skill claims to be authored by "Anthropic" and sourced from "Claude Plugins Official", which is inconsistent with the provided author context "ypyt1". This impersonation could mislead users into granting excessive trust to the skill.\n- [COMMAND_EXECUTION]: The skill uses theBashtool to executegit diffandgh pr viewcommands to gather context about the pull request and its changes.
Audit Metadata