Skills
skills/dnyoussef/ai-chrome-extension/code-review-assistant/Gen Agent Trust Hub

code-review-assistant

Pass

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests untrusted data from GitHub Pull Requests, including PR titles, descriptions, and the code changes themselves via gh pr view and gh pr checkout in SKILL.md. This data is then processed by multiple specialized AI agents (Security, Performance, etc.) to generate reviews and assessments. Because the skill has the capability to automatically approve PRs (gh pr review --approve) based on these assessments, a malicious contributor could craft a PR with embedded instructions (e.g., in code comments or the PR body) designed to trick the review agents into providing a positive score or ignoring vulnerabilities.
  • Ingestion points: Pull Request title, body, and file contents gathered via gh CLI in SKILL.md.
  • Boundary markers: No explicit delimiters or instructions are used to distinguish PR data from the agent's core instructions.
  • Capability inventory: Access to the gh CLI allows the skill to comment on, approve, and request changes on PRs.
  • Sanitization: No sanitization or filtering of the PR content is performed before it is passed to the AI agents or written to internal review files.
  • [EXTERNAL_DOWNLOADS]: The execution flow relies on npx to run various claude-flow components (e.g., coordination swarm-init, automation auto-agent, security-scan). While these tools appear to be associated with the vendor's ecosystem, they are downloaded and executed from the NPM registry at runtime, representing a dependency on external code.
  • [COMMAND_EXECUTION]: The skill's primary logic is contained in a Bash script within SKILL.md that executes several CLI tools including gh, jq, npx, and bc. User-supplied inputs such as pr_number and focus_areas, as well as data derived from the PR (like PR_TITLE), are interpolated directly into shell commands and file-writing operations (cat <<EOF). While inputs are largely wrapped in double quotes, the lack of strict validation for content retrieved from external PRs could lead to malformed data or schema confusion when building the aggregated-review.json file.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 2, 2026, 07:18 AM
Security Audit — agent-trust-hub — code-review-assistant