gh-pr-review
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted content from GitHub pull request reviews and comments.
- Ingestion points: Comment bodies and review text are retrieved via the GitHub GraphQL API (see internal/report/service.go and internal/report/builder.go).
- Boundary markers: The skill output does not include delimiters or instructions to differentiate between the tool's structured data and untrusted comment text.
- Capability inventory: The skill allows the agent to reply to comments, resolve threads, and submit reviews, which could be leveraged to execute injected instructions (see internal/comments/service.go).
- Sanitization: No sanitization or content validation is performed on the fetched comments beyond whitespace trimming.
- [COMMAND_EXECUTION]: The skill executes the GitHub CLI (gh) as a subprocess to interact with the GitHub API.
- Evidence: The internal/ghcli/ghcli.go file implements a wrapper around the os/exec package to run gh commands.
- [EXTERNAL_DOWNLOADS]: The skill is installed as an extension from a remote repository and utilizes Vercel's skill addition tool.
- Evidence: README.md documentation provides instructions for installing the extension from GitHub and using npx @vercel/add-skill.
Audit Metadata