comprehensive-review
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs agents to gather requirements and task descriptions from untrusted external sources, including GitHub PR descriptions, comments, and Markdown files within the PR. This content is then used to form instructions for review subagents.\n
- Ingestion points:
fetch-diff.mdfetches PR body metadata, comments, and commit messages. It also reads the full content of any changed.mdfiles in the repository.\n - Boundary markers: The skill lacks explicit boundary markers or instructions to ignore embedded commands when presenting this untrusted data to the analysis subagents.\n
- Capability inventory: The agent can execute shell commands (
git,gh), modify local files (Step 6), and post review comments to external GitHub repositories (Step 7).\n - Sanitization: No sanitization or filtering is performed on the data retrieved from GitHub before it is passed to the AI models for processing.\n- [COMMAND_EXECUTION]: The skill executes system commands (
git,gh) using variables (PR number, repository name, branch name) derived from user-provided URLs or external metadata. This creates a potential command injection surface if the extraction logic is manipulated or if the subagent improperly handles malicious input in these fields.
Audit Metadata