Skills
skills/bighardperson/computer-science-skills-collection/pr-reviewer/Gen Agent Trust Hub

pr-reviewer

Fail

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The run_local_lint function in scripts/pr-review.sh passes file paths directly from a pull request to the ruff command line. A pull request containing a file with shell metacharacters in its name (e.g., ; touch exploit ;) could trigger arbitrary command execution when the linter is run.
  • [COMMAND_EXECUTION]: In the generate_report function, the PR body and other metadata are interpolated into an unquoted heredoc (cat << REPORT). This allows shell variable expansion and command substitution from the content of the pull request description, leading to arbitrary command execution.
  • [REMOTE_CODE_EXECUTION]: Multiple sections of scripts/pr-review.sh (such as is_reviewed, update_state, and generate_report) use python3 -c to execute Python code while interpolating shell variables directly into the Python source string. Maliciously crafted PR metadata (titles, branch names, or commit messages) containing single quotes can break the string literal and execute arbitrary Python code.
  • [DATA_EXFILTRATION]: The identified injection vulnerabilities allow an attacker to execute arbitrary commands, which could be used to read local configuration files, environment variables, or credentials and send them to an external server.
  • [PROMPT_INJECTION]: The skill processes untrusted external data (pull request metadata and diffs) that is used in sensitive contexts without boundary markers or sanitization, creating an indirect prompt injection surface.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 18, 2026, 01:02 AM
Security Audit — agent-trust-hub — pr-reviewer