Skills
skills/chanmuzi/git-conventions/review-reply/Gen Agent Trust Hub

review-reply

Pass

Audited by Gen Agent Trust Hub on Mar 31, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill processes untrusted pull request comments and review summaries fetched from GitHub, making it susceptible to indirect prompt injection attacks where a malicious contributor could influence the agent's logic.\n
  • Ingestion points: Fetches comment bodies and review data via gh api and GraphQL queries (SKILL.md, Step 1).\n
  • Boundary markers: There are no explicit instructions for the agent to use delimiters or ignore embedded instructions when analyzing the external data.\n
  • Capability inventory: The agent has permissions to modify the codebase (Edit), execute gh CLI commands, and create issues.\n
  • Sanitization: The instructions do not define a process for sanitizing or filtering the content of the comments before processing.\n- [COMMAND_EXECUTION]: The skill provides shell command templates that incorporate variables derived from untrusted external sources, such as comment bodies.\n
  • Evidence: Step 5 uses placeholders like {reply_body} inside shell command strings (e.g., gh api ... -f body="{reply_body}").\n
  • Risk: This pattern creates a potential shell injection vulnerability if the agent performs simple string interpolation without properly escaping characters that have special meaning to the shell.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 31, 2026, 12:19 PM
Security Audit — agent-trust-hub — review-reply