review-feature
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from GitHub pull request descriptions and issue bodies to define the feature's scope and requirements. This creates a surface for indirect prompt injection where a malicious PR or issue description could contain instructions intended to subvert the agent's findings or influence downstream tasks.\n
- Ingestion points: Pull request bodies retrieved via
gh pr viewand issue descriptions retrieved viagh issue view(SKILL.md, Phase 0).\n - Boundary markers: The skill outputs findings using a structured markdown format, but it lacks explicit isolation or delimiters for untrusted text interpolated during the audit process.\n
- Capability inventory: The skill is restricted to read-only operations and does not have access to
EditorWritetools (SKILL.md, Operating Rules).\n - Sanitization: Findings are validated against a specific markdown schema (
finding-format.md), but there is no semantic sanitization of the untrusted input to detect or neutralize instruction-overriding patterns.
Audit Metadata