create-mr
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill reads from
~/.ai-review/credentials.json. While this is intended to verify the setup of theai-reviewCLI, it exposes the existence and contents of a sensitive credentials file to the agent's context. - [EXTERNAL_DOWNLOADS]: The skill instructs users to install an external package
@zawlinnnaing/ai-review-clivia npm. This is a vendor-provided resource, but it represents an external dependency required for the skill's operation. - [COMMAND_EXECUTION]: The skill uses the
bashtool to execute multiple CLI commands includingai-review create-mr,ai-review get-context, andai-review post-description. These commands use arguments derived from user input and external file content. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from external sources (GitLab MR diffs) to generate automated summaries.
- Ingestion points: Data is read from
~/.ai-review/mr-context.jsonafter fetching MR details. - Boundary markers: No specific delimiters or instructions are provided to the agent to ignore potentially malicious instructions embedded within the code diffs.
- Capability inventory: The agent has access to
bashfor command execution and file writing. - Sanitization: There is no evidence of sanitization or filtering applied to the MR context before the agent processes it to write the description.
Audit Metadata